183292 2018-03-02 09:35:00 -0800 Investigate usage of XMLHttpRequest's Permissions Policy usage 2024-03-16 01:00:23 -0700 1 1 1 Unclassified WebKit DOM WebKit Nightly Build Unspecified All RESOLVED DUPLICATE 202098 https://bugs.webkit.org/show_bug.cgi?id=183300 P2 Normal --- 183300 1 iclelland webkit-unassigned achristensen annevk ap beidson cdumez ggaren youennf oldest_to_newest 1403259 0 iclelland 2018-03-02 09:35:00 -0800 XMLHttpRequest objects can have their behavior controlled by feature policy (https://github.com/whatwg/xhr/pull/177, not merged yet) If the policy in the active document disallows the 'sync-xhr' feature, then calling .send() on the XMLHttpRequest object should throw a NetworkError (and ideally log a message to the developer console) Demo: https://xhr.featurepolicy.rocks/ GitHub issue: https://github.com/whatwg/xhr/issues/178 Web Platform Tests: https://wpt.fyi/xhr/xmlhttprequest-sync-default-feature-policy.sub.html Feature policy itself has been partially implemented as part of https://bugs.webkit.org/show_bug.cgi?id=167430, but I haven't found another bug for the rest of the implementation. Let me know if I should file that as well. 1403271 1 youennf 2018-03-02 09:46:55 -0800 Hi Ian, I guess that if there are other bugs related to feature policy that are filed, maybe having an umbrella bug might be useful. The current feature policy "implementation" is minimal in that it only checks for the iframe attribute, (no headers checking) and is specific to media capture. 1403344 2 iclelland 2018-03-02 13:21:04 -0800 Thanks, Youenn --- I filed https://bugs.webkit.org/show_bug.cgi?id=183300; I'm not sure if bugzilla allows me to declare a dependency of this bug on that one. 2021309 3 annevk 2024-03-15 05:58:15 -0700 Letting a top-level site adjust the control flow of an embedded site is generally not a good idea. This has also been removed from XMLHttpRequest. 2021310 4 annevk 2024-03-15 06:08:36 -0700 Actually, there is something implemented. Maybe that needs to be removed. 2021568 5 annevk 2024-03-16 01:00:23 -0700 *** This bug has been marked as a duplicate of bug 202098 ***