Permissions Policy

\n","7.1.2. Frame policies","It is also possible to inspect the policy on an iframe element, from the\n document which contains it. The policy object in this case represents the observable policy for the frame, which depends only on the current\n document and the attributes of the iframe element. It does not reveal whether\n a feature is actually currently allowed in the frame, as the document in the\n frame may have applied its own policy via an HTTP header, or may have\n navigated away from its initial location to a new origin. Revealing the\n effective policy in the iframe element’s nested navigable in that case could\n leak information about the behaviour of a cross-origin document.","\n\n\n","The observable policy on an iframe element is independent of any\n actual content loaded into the frame (to avoid cross-origin information\n leakage,) or even whether it is in a document tree.","\n\n\n\n","7.2. The permissionsPolicy object","[","Exposed","=","Window","]\n","interface"," {\n ","boolean","allowsFeature","(","DOMString","optional",");\n ","sequence","<","> ","();\n ","allowedFeatures","getAllowlistForFeature",");\n};\n\n","partial"," {\n [","SameObject","] ","readonly","attribute","permissionsPolicy",";\n};\n\n","HTMLIFrameElement",";\n};\n","A "," object has an ","associated node",", which\n is a ","Node"," is set when the "," object is created."," object has a ","default origin",", which is\n an ",", whose value depends on the state of the "," object’s ",", then its "," is the ","Element","declared origin","Each ","policy object",", which is\n a "," instance whose "," is that "," IDL attribute, on\n getting, must return the "," element has a ",",\n which is a "," is\n that element.","allowsFeature(feature, origin)"," method must run the following\n steps:"," is omitted, set "," to this ","policy"," be the ","observable policy"," for this "," is allowed by "," for ",", return true.","Otherwise, return false.","features()"," method must run the following steps:","Set ","result"," to an empty ordered set.","For each ","Append "," to ","return result","allowedFeatures()"," be this ","default\n origin",", append ","getAllowlistForFeature(feature)"," to an empty list.","default\n origin"," is not allowed in ",", return "," be ","]'s "," is the special value ","Append \"","\" to ","Return "," is not null,\n append the "," of it to ","Otherwise, for each ","The observable policy for any Node is a permissions\n policy, which contains the information about the policy in the navigable\n represented by that Node which is visible from the current document.","To get the "," for a Document ","’s permissions policy."," for an Element ","node",", run the\n following steps:"," be an empty ","isInherited"," be the result of running ","Define\n an inherited policy for feature in container at origin","] to ","Return a new "," a ","struct"," with both ","reporting\n configuration"," new ","node document","sandboxed origin browsing\n context flag"," is set, then return a new "," attribute is set, and does not contain\n the ","allow-same-origin"," keyword, then return a new ","srcdoc"," attribute is set, then return ","’s origin."," attribute is set:"," be the result of parsing ","’s src attribute,\n relative to "," is not failure, return "," The "," concept is intended to represent the origin of\n the document which the embedding page intends to load into a frame. This\n means, for instance, that if the browser does not support the "," attributes, it should not take\n those attributes into account when computing the declared origin.","8. Reporting","Permissions policy violation reports indicate that some behavior\n of the Document has violated a permissions policy. It is up to\n the specification of each individual policy-controlled feature to define what\n it means to violate that\n policy, and how to determine when such a violation has occurred.","Permissions policy violation reports have the report type \"permissions-policy-violation\".","Permissions policy violation reports"," are ","visible to ","ReportingObserver","s","PermissionsPolicyViolationReportBody"," : ","ReportBody"," {\n [","Default","object","toJSON","featureId",";\n ","? ","sourceFile","long","lineNumber","columnNumber","disposition","permissions policy violation report","body",", represented in\n JavaScript by ",", contains the following\n fields:","featureId: The\nstring identifying the policy-controlled feature whose policy has\nbeen violated. This string can be used for grouping and counting\nrelated reports.","sourceFile: If\nknown, the file where the violation occured, or null otherwise.","lineNumber: If\nknown, the line number in sourceFile where the violation occured, or null otherwise.","columnNumber: If\nknown, the column number in sourceFile where the violation occured, or null otherwise.","disposition: A\nstring indicating whether the violated permissions policy was\nenforced in this case. disposition will be set to\n\"enforce\" if the policy was enforced, or \"report\" if the violation resulted only in this report being generated (with no further action taken\nby the user agent in response to the violation).","8.1. "," (server to client) to\n communicate a "," that should not be enforced by the\n client, but instead should be used to trigger reports to be sent if any\n policy declared within it ","would"," have been violated, had the policy been\n active.","` is a\n structured header. Its value must be a dictionary.","9. Algorithms","9.1. Process response policy","\n Given a "," (","), an ","), and a boolean\n (","report-only","), this algorithm returns a ",". \n ","header name"," be \"","\" if "," is True, or \"","\" otherwise.","parsed header"," be the result of executing ","get a structured\nfield value"," given "," and \"dictionary\" from ","header list"," is null, return an empty ","Construct policy from\ndictionary and origin","9.2. Construct policy from dictionary and origin","\n Given an ","dictionary",") and an ","), this\n algorithm will return a ","reporting-config","feature-name"," → (","value","params",") of "," does not identify any recognized ",", then ","continue"," identified by ","[\"report-to\"] exists, and is a string, then set ","[\"report-to\"]."," be a new "," is the token ",", or if "," is a list which contains\nthe token ",", set ","Otherwise:",", let ","Otherwise if ","list","for each","element"," is a valid ","append","Return «","».","9.3. Parse policy directive","\n Given a string (","container origin","), and an\n optional ","target origin","policy\n directive","directive","serialized-declaration"," returned by ","strictly splitting "," on the delimiter\nU+003B (;)","tokens"," be the result of ","splitting "," on\nASCII whitespace."," is an empty list, then "," be the first element of ","targetlist"," be the remaining elements, if any, of ","If any element of "," is the string \"","\", set "," is empty and "," is given,\n let ","ASCII case-insensitive"," match for\n\"","\":","Continue to the next "," is given, and ","ASCII\ncase-insensitive"," match for \""," be the result of executing the ","URL parser"," is not failure:","target"," is not an "," the ","9.4. Process permissions policy attributes","\n Given an element (","container\n policy",", which may be empty. \n "," element, then return an empty ","policy\n directive","Parse policy\ndirective"," given the value of "," attribute,\nthe "," attribute is specified, and "," does not ","contain"," an entry for the ","Set","] = ","the\n special value ","9.5. Create a Permissions Policy for a navigable","\n Given null or an ","container",") this algorithm returns a new ","Assert: If not null, ","supported",",","Define an\ninherited policy for feature in container at origin",", with "," «[], []».","9.6. Create a Permissions Policy for a navigable from response","\n Given null or a ","), a ","), and an optional boolean\n (","), with a default value of False, this algorithm returns a new ","Create a Permissions\nPolicy for a navigable","d","Process response\npolicy"," → ","inherited\n policy","] is true, then set ","declared\n policy","9.7. Define an inherited policy for feature in container at origin","), null or a ","), and an "," in\n that container (","), this algorithm returns the ","inherited policy value"," is null, return \"","\".","If the result of executing ","Get feature value for\norigin","’s origin is\n\"","\", return \""," is \"","Process\npermissions policy attributes","exists",", return \"","Otherwise return \"",", return\n\"","9.8. Get feature value for origin"," object\n (","), this algorithm\n returns \""," should be considered\n disabled, and \"","\" otherwise. \n "," is present in ",", then return \"","Return \"","9.9. Check permissions policy","\n To check a permissions policy, given ",") and another ","document origin","), this algorithm returns \""," should be considered disabled, and \"","\"\n otherwise. \n ","9.10. Is feature enabled in document for origin?","), and an optional boolean (","report","),\n with a default value of True, this algorithm returns \"","\"\n if ","\"\n otherwise. If "," is True, then it will also ","generate and queue a\n report"," if the feature is not enabled in either ","report-only\n permissions policy","Note:"," The default value of True for "," means that most permissions\n policy checks will generate a violation report if the feature is not\n enabled. This is the expected result, as most checks are for an actual\n attempted use of the feature. If a call to this algorithm is performed just\n to query the state of a feature, and does not represent an actual attempt to\n use the feature, then "," should be set to False.","report-only policy","report-only\n permissions policy"," be the result of calling ","Check permissions\n policy",", given ","report-only result","Check\n permissions policy",",\n and "," is True:","settings","environment settings object","endpoint","Get the\n reporting endpoint for a feature","Call ","Generate report for violation of permissions\n policy on settings",",\n \"","Enforce","\", and ","Else, if ","report-only endpoint","Get the reporting endpoint for a feature","Report","Return result","9.11. Get the reporting endpoint for a feature",") and a ","),\n this algorithm returns a string naming the endpoint to send violation\n reports to, or null if no such endpoint has been declared in ","config","] exists, return ","].","Return null.","9.12. Generate report for violation of permissions policy on settings","), a string (","), and a string-or-null (","),\n this algorithm generates a "," about the ","violation"," of the\n policy for ",", initialized\nas follows:","’s string representation.","If the user agent is currently executing script, and can extract the\nsource file’s URL, line number, and column number from ",", then\nset "," accordingly.","Execute ","generate and queue a report",",\n\"permissions-policy-violation\", ","9.13. Should request be allowed to use feature?","request","),\n this algorithm returns ","true"," if the request should be allowed to\n use ","false"," otherwise. \n ","window"," is not a ","Permissions Policy within non-Window contexts\n (","WorkerGlobalScope","WorkletGlobalScope",") is being figured out in ","issue\n #207",". After that’s resolved, update this algorithm to allow fetches\n initiated within these contexts to use policy-controlled features. ","Until"," that’s resolved, disallow all policy-controlled features (e.g.,\n sending Client Hints to third parties) in these contexts.","associated ","Is feature\nenabled in document for origin?","\", return ","Otherwise, return ","10. Changes to other specifications","10.1. Changes to the HTML specification","\n Every ","report-only permissions\n policy",", which is a ",", which is initially empty. \n ","In 7.5.1\n Shared document creation infrastructure, after step 3, insert the\n following step:","reportOnlyPermissionsPolicy","Create a Permissions Policy for a navigable from\n response"," given navigationParams’s navigable’s container,\n navigationParams’s origin, navigationParams’s response, and True.","And in the same section, in step 10, set the new ","'s","report-only permissions policy",". \n ","11. IANA Considerations","The permanent message header field registry should be updated with the\n following registration [RFC3864]:","Header field name\n ","Permissions-Policy\n ","Applicable protocol\n ","http\n ","Status\n ","standard\n ","Author/Change controller\n ","W3C\n ","Specification document\n "," https://www.w3.org/TR/permissions-policy/ \n ","12. Privacy and Security","This specification standardizes a mechanism for an embedding page to set a\n policy which will be enforced on an embedded page. Similar to iframe ",", this can be done without the express permission of the\n embedded page, which means that behaviors of existing features can be changed\n in published web sites, by embedding them in another document with an\n appropriate container policy.","As such, the biggest privacy and security concerns are:","Exposure of behavior in a cross-origin subframe to its embedder\n ","Unanticipated behavior changes in subframes controlled by the\n embedder\n ","To a degree, these concerns are already present in the web platform, and\n this specification attempts to at least not make them needlessly worse.","Security and privacy issues may also be caused by the design of individual\n features, so care must be taken when integrating with this specification. This\n section attempts to provide some guidance as to what kinds of behaviors could\n cause such issues.","12.1. Exposure of cross-origin behavior","Features should be designed such that a violation of the policy in a\n framed document is not observable by documents in other frames. For instance,\n a hypothetical feature which caused a event to be fired in the embedding\n document if it is used while disabled by policy, could be used to extract\n information about the state of an embedded document. If the feature is known\n only to be used while a user is logged in to the site, for instance, then the\n embedder could disable that feature for the frame, and then listen for the\n resulting events to determine whether or not the user is logged in.","The introspection API is designed to only show information about a\n subframe’s policy which could already be deduced by the embedding document.\n This "," is not affected by any HTTP headers delivered\n with the framed document, and does not change when the frame navigates itself,\n even if such navigation is to a different origin, where a different policy\n applies. Only navigations caused by setting the ","