Integrate with Feature Policy #822
Conversation
|
@ianbjacobs, can you give this a once over for me? Then I'll ping clelland to make sure it's technically accurate. |
|
Just noting some discussion happening here too: |
|
Annevk tells me that I'll need to update the spec to remove reference to HTML for |
| @@ -635,14 +635,6 @@ | |||
| act as follows: | |||
|
|
|||
|
|
|||
| "allowpaymentrequest/active-document-cross-origin.https.sub.html, allowpaymentrequest/active-document-same-origin.https.html, allowpaymentrequest/removing-allowpaymentrequest.https.sub.html, allowpaymentrequest/setting-allowpaymentrequest-timing.https.sub.html, allowpaymentrequest/setting-allowpaymentrequest.https.sub.html"> | |||
There was a problem hiding this comment.
Tests will be moving to Feature Policy directory as part of web-platform-tests/wpt#14855
|
@clelland, whenever you can, would really appreciate if you could take a look at this PR. If you have input on web-platform-tests/wpt#14855, that would also be great. |
|
Appreciate the review @ianbjacobs! |
|
Is there any chance that we can kill |
index.html
Outdated
| specified on the iframe element. | ||
| The Feature Policy specification | ||
defines the "payment" feature and the
|
There was a problem hiding this comment.
This spec should probably define the actual feature -- similarly to https://html.spec.whatwg.org/#policy-controlled-features or https://fullscreen.spec.whatwg.org/#feature-policy-integration, it's just a matter of declaring the feature name and the default allowlist ('self' in this case)
And, as @annevk mentioned, the allowpaymentrequest attribute is defined in HTML.
The note in the fullscreen spec is actually a pretty good fit for the situation here. allowfullscreen affects the container policy, unless overridden by allow.
There was a problem hiding this comment.
I agree. I'm kinda conflicted between us trying to get this to REC (important to a lot of members of the WG - aiming for April) and "doing the right thing" and just normatively defining "payment" here 🤔 Our plan is to publish a REC, but then quickly spin up a "v1.1" that would formally define the feature string.
There was a problem hiding this comment.
You cannot get to REC without two implementations right? And implementations wouldn't be able to implement this any other way. Or would you leave this whole thing undefined or some such?
There was a problem hiding this comment.
You cannot get to REC without two implementations right?
Correct.
And implementations wouldn't be able to implement this any other way. Or would you leave this whole thing undefined or some such?
The Feature Policy would be undefined, but there is sufficient prose in the spec (in the constructor) that an implementation that does implement either the allowpaymentrequest attribute or the Feature Policy spec would behave in conforming manner (and could be demonstratively shown to behave in a conforming manner).
marcoscaceres
force-pushed
the
feature_policy
branch
from
71a332e to
30931bb
Compare
|
@domenic wrote:
@rsolomakhin, worth setting up a telemetry probe? It has shipped for about 2 years in Chrome, so might be too late... but never know. |
I agree with this, and it's absolutely the right thing to do - and we might need to accept it as a critical piece of the design (particularly from a security stand point... even if it delays going to REC for a bit). Have you - or @clelland - heard anything from the WebKit folks about supporting Feature Policy? We've unfortunately not been able to get in touch with @aestes about WebKit's implementation plans. |
marcoscaceres
force-pushed
the
feature_policy
branch
from
30931bb to
7679151
Compare
marcoscaceres
changed the title
There was a problem hiding this comment.
This looks good, @marcoscaceres -- one question about the internal cross-reference, but the text is exactly what I'd expect.
index.html
Outdated
| allowed to use the feature indicated by attribute name | ||
| allowpaymentrequest, then throw a | ||
| "SecurityError" DOMException. | ||
| allowed to use the "payment" feature, then throw |
There was a problem hiding this comment.
Should this be payment, to link to the definition in #feature-policy?
There was a problem hiding this comment.
@clelland that would be good. However, I did it this way because Feature Policy itself doesn't actually define the "payment" feature - thus I couldn't actually link to it. However, I'm happy update the link it once Feature Policy defines it.
There was a problem hiding this comment.
I meant to link to the feature-policy section in this spec, where 'payment-feature' is actually defined, not to link to the feature policy spec. Features should ideally be defined in the spec where they are used, rather than centrally in the FP spec.
There was a problem hiding this comment.
Ah, sorry for misunderstanding. Will fix.
closes #600
closes #698
The following tasks have been completed:
Implementation commitment:
Optional, impact on Payment Handler spec?
None.
Preview | Diff