Integrate Feature Policy concepts into HTML

[clelland]

This commit introduces the feature policy for Document objects, adds the
'allow' attribute to iframe elements, and reframes 'allowfullscreen',
'allowpaymentrequest' and 'allowusermedia' in terms of feature policy.
Document allow* flags are removed, as they are no longer referenced.

The 'allowed to use' algorithm is also updated to call into the feature
policy 'Is feature enabled' algorithm, and rewritten to take a policy-
controlled feature as an argument rather than an attribute, so that
other specs can also use it to control other features.

---

/browsers.html ( diff )
/browsing-the-web.html ( diff )
/dom.html ( diff )
/iframe-embed-object.html ( diff )
/infrastructure.html ( diff )
/references.html ( diff )

[annevk]

Thanks for the PR. Here is some early feedback. I hope that @zcorpan can also review as he worked on the predecessors of allow quite a bit. I'm a little concerned with the changes in semantics, but if those can somehow be proven to be compatible it would be a nice cleanup for sure.

[annevk]

Since this is a non-normative description it should not use "should".

[clelland]

I thought there was a distinction between 'should' and 'SHOULD', but if not, then this should change.

How about 'will', as in:

When specified, it indicates that Document objects in the iframe element's browsing context will be initialized with a feature policy which allows the fullscreen feature to be used from any origin.

[clelland]

Changed to will, thanks.

[annevk]

Same here.

[clelland]

Done.

[annevk]

And here.

[clelland]

Done.

[annevk]

This is an incompatible change per #2143 (comment). Is that what Chrome now implements? We used to take dynamic changes into account for at least allowfullscreen.

[clelland]

Chrome has been following this since M62 (Released in beta September 14, stable October 17). The original discussion to implement and ship was at https://groups.google.com/a/chromium.org/d/topic/blink-dev/UKChYGBYvSk/discussion (Referencing #2187 in this repo)

[annevk]

This should be renamed given that it applies to documents. That's not a global.

[clelland]

Agreed. This is changed to #initialize-for-document in w3c/webappsec-permissions-policy#104. I'll merge that one first once it matches the changes here, and update this PR accordingly.

[clelland]

Done now.

[annevk]

This newline can go.

[clelland]

Done

[annevk]

This newline can go.

[clelland]

Done.

[annevk]

Do you mean nested browsing context's active document here? Also, link "feature policy".

[clelland]

Yes; added links to "active document" and "feature policy".

[annevk]

page -> document

[clelland]

Done (this was following the wording on the very similar warning for sandbox, which should probably be changed too)

[annevk]

I think it would be nicer for feature testing if allow ended up reflecting the internal CSP-like data model. That would also give us an additional hook to make sure UAs actually implement it correctly.

[clelland]

We're looking at adding a policy member to iframe DOM elements (though not an html attribute) to be able to introspect the policy that is being applied to the frame; that's w3c/webappsec-permissions-policy#65, I believe.

That's slightly different than just reflecting the structure of allow, since it also includes any other restrictions inherited from the document: If the current document does not have fullscreen enabled, for instance, then looking at the allow attribute on <iframe allow=fullscreen> will indicate that fullscreen was requested, but the iframe.policy member will show that the feature would not be allowed in that frame.

[annevk]

Sure, but wouldn't reflecting allow better still make sense?

[clelland]

I think I see what you mean -- it was originally a DOMTokenList, but that wasn't flexible enough, so we made it a DOMString like csp rather than attempting to define a complete data structure to reflect.

It would be useful to reflect it in this way -- I presume that would mean including the IDL for that type here. would that also require updating the definition of reflect to declare what it means to "reflect a feature policy allowlist"?

[annevk]

An alternative might be to not use reflect and write out what the requirements are.

[domenic]

I think using reflect here is good and proper, as long as the idea is to be like sandbox/srcset/csp instead of something more complicated.

I'm not sure it's worth the extra trouble to make a custom class for this until people ask for it; given that they haven't done so for those other attributes in the past I'd much rather wait than put in the up-front effort now.

[annevk]

I thought there was a distinction between 'should' and 'SHOULD'

Please see https://infra.spec.whatwg.org/#conformance. Using "will" seems fine for a statement of fact.

Done -- origin, even when it is "document's origin"

Ah, I guess we still need to clean that up at some point.

(this was following the wording on the very similar warning for sandbox, which should probably be changed too)

Could you file a follow-up issue on that?

[annevk]

(Aside: your Git email address does not match your GitHub email address. You might want to add your @google.com handle to your GitHub account so you get proper credit.)

[annevk]

Note to self: commit message needs to reference everything regarding allowfullscreen that's now moot (and close as appropriate).

[annevk]

Other things that need to be done before landing:

• web-platform-tests PR (also needs to be referenced from the commit message; we can take care of the referencing)
• implementation bugs (except for Chrome I suppose, though might be good to reference in case of coordination needs)

[zcorpan]

Also see tests for snapshotting allowfullscreen in web-platform-tests/wpt#4354

[clelland]

I've updated the PR in response to the comments left on it, and to remove the unneeded references to feature "names" (from w3c/webappsec-permissions-policy#125)

[clelland]

Done now.

[clelland]

Done

[clelland]

Done.

[clelland]

Done.

[clelland]

Done.

[clelland]

Done -- merged these together, in a note div.

[clelland]

Done.

[clelland]

Done.

[clelland]

Yes; added links to "active document" and "feature policy".

[clelland]

We're looking at adding a policy member to iframe DOM elements (though not an html attribute) to be able to introspect the policy that is being applied to the frame; that's w3c/webappsec-permissions-policy#65, I believe.

That's slightly different than just reflecting the structure of allow, since it also includes any other restrictions inherited from the document: If the current document does not have fullscreen enabled, for instance, then looking at the allow attribute on <iframe allow=fullscreen> will indicate that fullscreen was requested, but the iframe.policy member will show that the feature would not be allowed in that frame.

[annevk]

Apart from the concerns expressed in the individual comments, I'm still a little concerned about the time it will take for implementations to catch up with all these changes (and about the compatibility impact for some of them).

Is Chrome already shipping this simplified version?

Tests are still very much needed as well, including adjusting the existing tests for allowfullscreen et al.

[annevk]

Title case seems wrong?

[annevk]

Title case seems wrong?

[annevk]

This also does not seem to match what is referenced.

[annevk]

It seems Feature Policy itself is inconsistent on the casing of "feature policy" (I recommend lowercase).

[annevk]

This does not quite make sense since if document's feature policy is a feature policy, then feature policy has to be standalone. However, the Feature Policy specification suggests it's a slot on document, which makes this weird.

[clelland]

I've sent a PR to feature-policy (w3c/webappsec-permissions-policy#165) that I hope addresses this, by making feature policy standalone. Can you take a look and see if that makes sense?

[annevk]

<ref> goes after the dot.

[annevk]

Sure, but wouldn't reflecting allow better still make sense?

[annevk]

You need to use <var>document</var> here.

[annevk]

This goes beyond a 100 columns.

[annevk]

I would really like to keep this example in some fashion, since it demonstrates why using same origin-domain can be more strict than using same-origin. It still seems relevant so I'm not sure why we'd remove it.

[clelland]

I've put that example back, though I ended up moving it to browsing-the-web.html#initialise-the-document-object, since that's where the processing steps are.

[clelland]

I'm updating the wpt tests; there's an auto-generated PR at web-platform-tests/wpt#10966

[annevk]

FYI, if I go to https://github.com/whatwg/html/pull/3287/files there's still four comments from me that are not addressed.

[domenic]

@annevk Ian and I spent some time yesterday going over this in person. The only outstanding issue we identified was the phrasing around document vs. browsing context, which Ian just fixed. IMO this is ready to merge; do you agree? (Assuming of course that Ian files browser bugs on the changes to the allow* attributes.)

[annevk]

I suspect this is mostly in order now. Thanks a lot for working through all the things. I have a couple nits and @domenic should do a more line-by-line editorial review.

I think we already have tests covering some of this? In any case, someone needs to ensure testing is adequate and link that from the final commit.

(I'm going on vacation, hence the summary review.)

[annevk]

'Enabled' per Feature Policy?

[clelland]

Feature policy should be consistent, but isn't right now. This algorithm does use "Enabled", but the one above used 'Enabled'. I'll update that spec to use strings throughout, so this should be correct.

[annevk]

Cannot have a newline after a start tag.

[clelland]

Done

[annevk]

Closing </li>.

[clelland]

Done

[annevk]

No additional newline here.

[clelland]

Is there a more extensive styleguide somewhere? Not complaining at all, just trying to understand what's expected.
From a quick grep, I see 554 instances of "<div class="example">" in the spec: 98 followed by a single newline; 438 followed by 2 newlines. (and 8 with the example starting on the same line as the opening <div>)

[annevk]

You'd be right to complain. We're slowly migrating to single newline after "block-level" start tags (and before the end tag), like div, ol, li etc. if they contain multiple "block-level" children.

[annevk]

Same.

[clelland]

Done.

[clelland]

Thanks, @annevk ! -- I'll take care of the nits and push again.
For testing, we have WPT for:

• allowfullscreen behaviour
• allowpaymentrequest behaviour
• content attributes (I was waiting for this PR to land before merging)
• And there is an outstanding question about allowusermedia here: Test <iframe allowusermedia> web-platform-tests/wpt#4625

[domenic]

LGTM! Found one typographical thing to fix and pushed it, as well as a couple things to note (below). Will merge now. Please file issues on the browsers, and leave pointers to them here.

[domenic]

Are feature names fullscreen, or "fullscreen"? https://xhr.spec.whatwg.org/#sync-xhr uses the latter but https://wicg.github.io/feature-policy/#process-feature-policy-attributes and this patch uses the former.

[clelland]

Good catch -- we originally had a different symbolic feature name and string identifier, but that turned out to be redundant, so we only use the string now, and the feature policy spec should just use those strings.

https://wicg.github.io/feature-policy/#policy-controlled-feature now says that features are identified by tokens, which are character strings.

[domenic]

I wonder if we should tell authors not to use allowfullscreen/allowpaymentrequest/allowusermedia. Maybe only once all browsers support allow=""? This is probably worth filing a follow-up issue to track.

[clelland]

It would be less confusing in the far future if we were to deprecate those; once there's wide support for allow, we should think about doing that.

In the meantime, we should also make sure that there's guidance somewhere about not introducing new allowfoo-style attributes on <iframe>.