search

w3c / webappsec-permissions-policy

A mechanism to selectively enable and disable browser features and APIs
https://w3c.github.io/webappsec-permissions-policy/
Other
399 stars 155 forks source link

A request's "window" is never a Window #533

Open jyasskin opened 1 year ago

jyasskin commented 1 year ago

Should request be allowed to use feature? has

  1. Set window to request’s window.
  2. If window is not a Window, return false.

However, request's window is '("no-window", "client", or an environment settings object whose global object is a Window object)'. That is, it can be an environment settings object, but it can't be a Window. This is confusing, but makes the algorithm here wrong.

annevk commented 1 year ago

Yeah, I'd recommend using

If window is "no-window", then return false.

if you really mean that. But note that window can be set for requests that pass through a service worker. If you really care about the environment that's currently making the request, you want client.