New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 862692 link

Starred by 1 user
Status: WontFix
Owner:
loonyb...@chromium.org
Last visit > 30 days ago
Closed: Jul 24
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: Bug



Sign in to add a comment

Feature Policy JS API: does not return correct values when specifying multiple origins values

Project Member Reported by ericbidelman@chromium.org, Jul 11 
Chrome Version: 69.0.3488.0 (Official Build) canary (64-bit)
OS: macOS

What steps will reproduce the problem?
(1) Send a policy header of:  Feature-Policy: geolocation 'self' https://example.com

What is the expected result?

The JS API returns https://example.com as an allowed origin for geolocation.

What happens instead?

The API returns the self origin as the only allowed origin:

document.policy.getAllowlistForFeature('geolocation')
// ["http://localhost:8080"]

document.policy.allowsFeature('geolocation', 'https://example.com')
// false
Screen Shot 2018-07-11 at 12.06.16 PM.png
98.5 KB View Download

Comment 1 by cha...@chromium.org, Jul 24

Labels: -Pri-3 M-69 Pri-2
Owner: loonyb...@chromium.org
loonybear@, I haven't reproduced the bug, please investigate.

Assuming there's a problem, the goal is to land a fix (and more tests), and merge back to M69. There's an origin trial for the JS API starting in M69.

Comment 2 by loonyb...@chromium.org, Jul 24 

Interesting. Cause this test https://github.com/web-platform-tests/wpt/blob/master/feature-policy/feature-policy-header-policy-allowed-for-some.https.sub.html tests exactly what the behavior is described above and works. I will look more into it. Thanks

Comment 4 by loonyb...@chromium.org, Jul 24 

I tried to reproduce locally. hosting server you provided and locally built chrome with --no-sandbox flag, Experimental Web Platform features enabled, I get the correct result.
Screenshot from 2018-07-24 13-52-00.png
57.4 KB View Download

Comment 5 by loonyb...@chromium.org, Jul 24

Status: WontFix (was: Untriaged)
Chatted with ericbidelman@ offline. Seems like things are working as expected. Closing this bug.

Comment 6 by ericbidelman@chromium.org, Jul 24 

Just to loop back. It looks like the issue was with my Feature Policy DevTools extension getting. Opening the test page in an incognito window returns correct values.

What's happening is that I get the browser's supported feature policies by running `document.policy.allowedFeatures()` on about:blank. This of course doesn't have https://example.com as an allowed origin for the geolocation so this ends up overriding what the page originally set for the policy.

Sign in to add a comment