w3c / webappsec-permissions-policy

A mechanism to selectively enable and disable browser features and APIs
https://w3c.github.io/webappsec-permissions-policy/
Other
399 stars 155 forks source link

allow disabled-by-default features #513

Open fergald opened 1 year ago

fergald commented 1 year ago

Motivation:

This would be a tool to use in deprecating and removing a feature. Our current motivator for this is the deprecation of unload but it could apply to any other feature.

Deprecating is hard and we want to provide a period where a feature is still usable but opt-in. The plan for unload is more complicated than just flipping to this state but this is the desired state.

Currently the available defaults for a feature are self and *. It is not possible to have a policy that disables a feature by default.

Proposal

Add an allowed default value of none. This would mean that by default, the feature is not available. To make the feature available in a given frame, that frame would have to declare it via the header and every ancestor of that frame would also have to declare it via the header and delegate it via the allow attribute on the iframe element.

This

The unfortunate side-effect of forcing the feature to be enabled in a the ancestor frames even if they do not want it could be avoided by also implementing not-self .

Alternative outcomes

There are some different outcomes one could imaging trying to achieve.

require action only by the subframe itself

This would make it easier to opt back in while still giving containers utlimate control. It does not seem to sit with the existing inheritance model of PP and would require changes to the decision algorithm, not just the available defaults.

require action only by the containing frames

This would allow sites to restore unload functionality to 3rd party frames even without the cooperation of the 3rd party. It seems like 3rd parties have an incentive to enable the features they use, so this is of questionable benefit vs the proposed outcome.

@clelland

clelland commented 1 year ago

One issue that might motivate the second alternative (besides it just being onerous to have to enable by attribute and header at every frame boundary) is that some contexts actually don't allow for headers to be set -- <iframe srcdoc> , for instance, only allows the content of the frame to be set, not the headers.

I wonder if it would actually be so bad to have a model where:

@marcoscaceres

fergald commented 1 year ago

Does it make sense to say that a srcdoc has the same header policy as its parent? Does that change any previous behaviour?

fergald commented 1 year ago

@smaug--- is there anyone from Mozilla who can weigh in on this?

@marcoscaceres Ian mentioned you had an idea for different semantics.

fergald commented 1 year ago

@smaug---- is there anyone from Mozilla who can weigh in on this?

annevk commented 1 year ago

Is there another feature for which this would make sense? As per https://github.com/WebKit/standards-positions/issues/200 WebKit is not sold on unload. There was an idea before for document.domain, but the scoping ended up being wrong and eventually we landed on something better.

It also seems somewhat unfortunate to introduce new features in order to potentially remove another one.