Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Document when to use allow- attributes vs. extend the sandbox attribute value set for iframes #41

Open
travisleithead opened this issue Feb 8, 2017 · 9 comments
Open

Document when to use allow- attributes vs. extend the sandbox attribute value set for iframes #41

travisleithead opened this issue Feb 8, 2017 · 9 comments
Assignees
@cynthia @dbaron
Labels
Overtaken? This is an old issue that may no longer be relevant? Status: Consensus to write We have TAG consensus about the principle but someone needs to write it (see "To Write" project) Topic: HTML
Milestone
2021-03-01-week

Comments

@travisleithead
Copy link
Contributor

For details, see minutes (https://pad.w3ctag.org/p/2017-02-08-minutes.md) for w3ctag/design-reviews#147.

If the feature is top-level browsing context accessible by default, then use an attribute to grant permission in the iframe.

Otherwise, if the feature is universally available, but you want to disallow it under sandbox (and then optionally re-enable it), then you add a sandbox attribute value.

The difference is the level of privacy/risk the feature has to being universally available.

(See HTML spec for which attributes / sandbox directives currently fall into these buckets.)
@travisleithead travisleithead self-assigned this Feb 8, 2017
@domenic
Copy link
Member

domenic commented Feb 10, 2017

See whatwg/html#2259 (comment) for a slightly more broad overview of the different restriction models on the platform. I agree transposing the contents of that comment into the document, expanding on the gaps in it, and add some advice would be pretty helpful for people.

@dbaron dbaron mentioned this issue Mar 15, 2017
Closed
5 tasks
@torgo torgo added the Status: In Progress We're working on it but ideas not fully formed yet. label Jul 26, 2017
@torgo torgo added Status: Consensus to write We have TAG consensus about the principle but someone needs to write it (see "To Write" project) and removed Status: In Progress We're working on it but ideas not fully formed yet. labels Apr 6, 2018
@dbaron dbaron mentioned this issue Jul 24, 2018
Closed
3 tasks
@dbaron dbaron mentioned this issue Mar 13, 2019
Closed
5 tasks
@dbaron dbaron mentioned this issue Mar 26, 2019
Closed
5 tasks
@dbaron
Copy link
Member

dbaron commented May 22, 2019

As @triblondon points out in w3ctag/design-reviews#341 one of the further pieces of guidance that the document documenting this should have is how to name the features.

@dbaron
Copy link
Member

dbaron commented May 22, 2019

...one important piece of naming advice is when to use positive versus negative names, e.g., what is being allowed or what is being denied. We have a history of inconsistency here.

@dbaron dbaron self-assigned this May 22, 2019
@cynthia cynthia self-assigned this May 22, 2019
@cynthia cynthia mentioned this issue May 22, 2019
Closed
@torgo torgo added this to the 2020-04-06-week milestone Mar 16, 2020
dbaron added a commit to dbaron/design-principles that referenced this issue Apr 2, 2020
@dbaron
Initial start of changes to describe restriction models: list the mod…
2416195 
…els we have.

Once this PR is done (which is isn't now):
Fixes w3ctag#41.
@dbaron dbaron mentioned this issue Jun 15, 2020
Open
@dbaron
Copy link
Member

dbaron commented Jun 15, 2020

I should note that I did start to write text for this but I didn't get very far.

@dbaron dbaron mentioned this issue Jul 21, 2020
Open
@plinss plinss modified the milestones: 2020-08-10-week, 2020-09-07 Sep 5, 2020
@plinss plinss modified the milestones: 2020-09-07, 2020-10-05 Sep 30, 2020
@plinss plinss removed this from the 2020-10-05 milestone Jan 4, 2021
@plinss plinss added this to the 2021-01-04-week milestone Jan 4, 2021
@torgo torgo added the Overtaken? This is an old issue that may no longer be relevant? label May 3, 2021
@cynthia
Copy link
Member

cynthia commented Mar 22, 2022

So far what we have is...

  1. If the feature has a corresponding permission, you should use a permission policy and mint a corresponding allow- attribute.
  2. If the feature is gated by user activation, and there is potential for abuse, consider extending the sandbox flags.

Secure contexts are mentioned in the previous section so maybe we should remove that mention - it shouldn't really be used for feature gating. Document policy, given the maturity probably shouldn't be mentioned. CSP I don't have the slightest idea what to write as guidance.

@cynthia cynthia mentioned this issue Mar 22, 2022
Open
@domenic
Copy link
Member

domenic commented Mar 22, 2022

  1. and mint a corresponding allow- attribute.

I would say that new feature-specific allow attributes (like allowfullscreen="") must not be added. Instead people should use the generic allow="" attribute which works with everything defined in permissions policy.

@cynthia
Copy link
Member

cynthia commented Mar 24, 2022
edited
Loading

Discussed this in-depth during our plenary today - I think we are generally in favor of preferring allow="" and permission policies, but a concern was raised on writing a principle which depends on a feature that is only fully implemented in only one engine. Would love to hear what @hober @annevk think about this.

@annevk
Copy link
Member

annevk commented Mar 24, 2022

Firefox supports allow="". (And we're positive on the Permissions-Policy header.)

@domenic
Copy link
Member

domenic commented Mar 24, 2022

According to MDN, Safari also supports allow="" since 2018.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cynthia cynthia

@dbaron dbaron

Labels
Overtaken? This is an old issue that may no longer be relevant? Status: Consensus to write We have TAG consensus about the principle but someone needs to write it (see "To Write" project) Topic: HTML
Projects
None yet
Milestone
2021-03-01-week
Development

No branches or pull requests
8 participants
@cynthia @LeaVerou @dbaron @torgo @domenic @annevk @travisleithead @plinss