Comments (8)
Was it necessary to throw "self" out? It would be very nice to have as it's much more copy&pasteable and useful for snippets:
Feature-Policy: {"enable":["geolocation"], "target":["self"]}, {"disable":["geolocation"], "target":["!self"]}
from webappsec-permissions-policy.
Is target:self meant to defend against XSS? I think it's more for incremental adoption than security, i.e. I want this on my first party content by I can't force some third party I embed to do this.
I think it'd be OK to say that target:cascade is not overrideable via the attribute though and that if you want the security assurance you should be using target:cascade.
Does that work?
from webappsec-permissions-policy.
I think it'd be OK to say that target:cascade is not overrideable via the attribute though and that if you want the security assurance you should be using target:cascade.
This makes it impossible to whitelist a specific origin: either you block access for everyone, including yourself, or you keep it open for everyone... That said, perhaps #13 could address this?
Taking a step back.. If it is our goal is to address the XSS case (is it? :)), then I think we have to restrict ourselves to the header mechanism. Or, at least, if you want to protect yourself from the XSS case then: you MUST use the header mechanism; the header mechanism needs to support a whitelisting mechanism (which is what the attribute provides); header policy must take precedence over the attribute values?
Feature-Policy: {"disable":["geolocation"], "target":["cascade"]},
{"enable":["geolocation"], target:["https://foo.com"]}
<iframe src="https://foo.com/widget"> <!-- Geolocation enabled -->
<iframe src="https://bar.com/thing" enable="geolocation"> <!-- noop...? -->
from webappsec-permissions-policy.
@jyasskin I think @mikewest's update addresses this case. Can you review and confirm?
from webappsec-permissions-policy.
It's a step, but to protect against XSS we need a whitelist of origins, while {disable: 'thing', target: [evilx, evily, evilz]} still allows evilw to use 'thing'. When 'enable' rules exist, that'll finish addressing this case.
from webappsec-permissions-policy.
I think we can add "self", but I don't think we want to get into predicates with "!self" and such. /cc @mikewest
from webappsec-permissions-policy.
Then I propose adding self and third-party as targets.
from webappsec-permissions-policy.
See discussion in #28 (comment).
from webappsec-permissions-policy.
Related Issues (20)
- support <meta http-equiv> mechanism to set the policy HOT 2
- document.featurePolicy vs document.permissionsPolicy HOT 2
- Clarify the expected usage of "Should request be allowed to use feature?"
- Potential bug in access delegation to cross-origin iframe for feature that has default allowlist value "self"? HOT 2
- allow disabled-by-default features HOT 5
- Does url match expression in origin with redirect count? takes a URL, not an origin HOT 7
- "If the allowlist contains an origin representing self" is unclear HOT 2
- Editorial: "If origin is opaque" needs to use a cross reference
- Inconsistency in text and parsing algorithm (invalid member value)
- Add "mediasession" to the list of permission policies HOT 1
- Set declared policy for powerful features to self by default HOT 9
- A request's "window" is never a Window HOT 1
- methiyaowala HOT 2
- Permissions Policy report missing a document URL HOT 2
- Send reports for Permissions Policy violations in iframe to parent frame's endpoint HOT 19
- > 07881334 2 002065 031525 054161 F-3525824 PANYA YAOWALA ( AIA ) 0107537002761 0872220535 3410200102061 *01401125350 341020009143 3410200102096 41001470 165467 T-078813339 T078813342
- Query: Can trusted subframe allocate permission to one of it's cross-domain subframe HOT 2
- [clipboard] document.execCommand('copy') and presumably paste bypass permissions policy
- Permissions Policy "deferred-fetch"
- JS playgrounds leak permissions. Guidelines and examples needed HOT 10
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from webappsec-permissions-policy.