Editorial: initialize feature policy before document creation

Instead of delegating to the feature policy spec to initialize feature policy after the document is created, initialize feature policy first and pass it in while constructing the document. This uses w3c/webappsec-permissions-policy#324.
dtapuska · Jul 18, 2019 · 2a397f6 · 2a397f6
1 parent 7fdd68a
commit 2a397f6
Showing 1 changed file with 27 additions and 25 deletions.
diff --git a/source b/source
@@ -4100,8 +4100,8 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
      <li><dfn data-x="concept-container-policy" data-x-href="https://wicg.github.io/feature-policy/#container-policy">container policy</dfn></li>
      <li><dfn data-x="concept-serialized-feature-policy" data-x-href="https://wicg.github.io/feature-policy/#serialized-feature-policy">serialized feature policy</dfn></li>
      <li><dfn data-x="concept-default-allowlist" data-x-href="https://wicg.github.io/feature-policy/#default-allowlist">default allowlist</dfn></li>
-     <li>The <dfn data-x-href="https://wicg.github.io/feature-policy/#initialize-for-document">Initialize a document's feature policy</dfn> algorithm</li>
-     <li>The <dfn data-x-href="https://wicg.github.io/feature-policy/#initialize-from-response">Initialize a document's feature policy from a response</dfn> algorithm</li>
+     <li>The <dfn data-x-href="https://wicg.github.io/feature-policy/#create-for-browsingcontext">creating a feature policy</dfn> algorithm</li>
+     <li>The <dfn data-x-href="https://wicg.github.io/feature-policy/#create-from-response">creating a feature policy from a response</dfn> algorithm</li>
      <li>The <dfn data-x="is-feature-enabled" data-x-href="https://wicg.github.io/feature-policy/#is-feature-enabled">Is feature enabled by policy for origin</dfn> algorithm</li>
      <li>The <dfn data-x="process-feature-policy-attributes" data-x-href="https://wicg.github.io/feature-policy/#process-feature-policy-attributes">Process feature policy attributes</dfn> algorithm</li>
     </ul>
@@ -78048,6 +78048,9 @@ dictionary <dfn>DragEventInit</dfn> : <span>MouseEventInit</span> {
    origin</span> given <var>browsingContext</var>, <code>about:blank</code>,
    <var>sandboxFlags</var>, <var>browsingContext</var>'s <span>creator origin</span>, and null.
 
+   <li><p>Let <var>featurePolicy</var> be the result of <span>creating a feature policy</span>
+   given <var>browsingContext</var> and <var>origin</var>. <ref spec="FEATUREPOLICY"></p></li>
+
    <li>
     <p>Let <var>realm execution context</var> be the result of <span>creating a new JavaScript
     realm</span> with the following customizations:</p>
@@ -78067,7 +78070,8 @@ dictionary <dfn>DragEventInit</dfn> : <span>MouseEventInit</span> {
    documents">HTML document</span> in <span>quirks mode</span>, whose <span
    data-x="concept-document-content-type">content type</span> is "<code data-x="">text/html</code>",
    <span>origin</span> is <var>origin</var>, <span>active sandboxing flag set</span> is
-   <var>sandboxFlags</var>, and which is both <span>ready for post-load tasks</span> and
+   <var>sandboxFlags</var>, <span data-x="concept-document-feature-policy">feature policy</span> is
+   <var>feature policy</var>, and which is both <span>ready for post-load tasks</span> and
    <span>completely loaded</span> immediately.</p></li>
 
    <li><p>Ensure that <var>document</var> has a single child <code>html</code> node, which itself
@@ -78084,9 +78088,6 @@ dictionary <dfn>DragEventInit</dfn> : <span>MouseEventInit</span> {
    <span data-x="concept-document-referrer-policy">referrer policy</span> to <var>creator</var>'s
    <span data-x="concept-document-referrer-policy">referrer policy</span>.</p></li>
 
-   <li><p><span>Initialize a document's feature policy</span> given <var>document</var>. <ref
-   spec="FEATUREPOLICY"></p></li>
-
    <li><p>Add <var>document</var> to <var>browsingContext</var>'s <span>session
    history</span>.</p></li>
 
@@ -83669,6 +83670,24 @@ interface <dfn>Location</dfn> { // but see also <a href="#the-location-interface
    <var>sandboxFlags</var>, <var>incumbentNavigationOrigin</var>, and
    <var>activeDocumentNavigationOrigin</var>.
 
+   <li>
+    <p>Let <var>featurePolicy</var> be the result of <span>creating a feature policy from a response</span>
+    given <var>browsingContext</var>, <var>origin</var>, and <var>response</var>. <ref
+    spec="FEATUREPOLICY"></p>
+
+    <div class="note">
+     <p>The <span>creating a feature policy from a response</span> algorithm makes use of
+     <var>origin</var>. If <code data-x="dom-document-domain">document.domain</code> has been used
+     for the <span>browsing context container</span>'s <span>node document</span>, then its
+     <span>origin</span> cannot be <span>same origin-domain</span> with <var>>origin</var>, because
+     these steps run before the <var>document</var> is created, so it cannot itself yet have used
+     <code data-x="dom-document-domain">document.domain</code>. Note that this means that Feature
+     Policy checks are less permissive compared to doing a <span>same origin</span> check instead.</p>
+
+     <p>See below for some examples of this in action.</p>
+    </div>
+   </li>
+
    <li><p>If <var>browsingContext</var>'s only entry in its <span>session history</span> is the
    <code>about:blank</code> <code>Document</code> that was added when <var>browsingContext</var> was
    <span data-x="creating a new browsing context">created</span>, and navigation is occurring with
@@ -83699,7 +83718,8 @@ interface <dfn>Location</dfn> { // but see also <a href="#the-location-interface
    <li><p>Let <var>document</var> be a new <code>Document</code>, whose <span
    data-x="concept-document-type">type</span> is <var>type</var>, <span
    data-x="concept-document-content-type">content type</span> is <var>contentType</var>,
-   <span>origin</span> is <var>origin</var>, and <span>active sandboxing flag set</span> is
+   <span>origin</span> is <var>origin</var>, <span data-x="concept-document-feature-policy">feature
+   policy</span> is <var>featurePolicy</var>, and <span>active sandboxing flag set</span> is
    <var>sandboxFlags</var>.</p></li>
 
    <li id="set-the-document's-address"><p>If <var>request</var> is non-null, then set
@@ -83734,24 +83754,6 @@ interface <dfn>Location</dfn> { // but see also <a href="#the-location-interface
     "<code data-x="">no-referrer</code>" at this point.</p>
    </li>
 
-   <li>
-    <p><span>Initialize a document's feature policy from a response</span> given
-    <var>document</var> and <var>response</var>. <ref spec="FEATUREPOLICY"></p>
-
-    <div class="note">
-     <p>The <span>initialize a document's feature policy from a response</span> algorithm makes use
-     of <var>document</var>'s <span>origin</span>. If <code
-     data-x="dom-document-domain">document.domain</code> has been used for the <span>browsing
-     context container</span>'s <span>node document</span>, then its <span>origin</span> cannot be
-     <span>same origin-domain</span> with <var>document</var>'s <span>origin</span>, because these
-     steps run when <var>document</var> is initialized, so it cannot itself yet have used <code
-     data-x="dom-document-domain">document.domain</code>. Note that this means that Feature Policy
-     checks are less permissive compared to doing a <span>same origin</span> check instead.</p>
-
-     <p>See below for some examples of this in action.</p>
-    </div>
-   </li>
-
    <li>
     <p>If <var>response</var> has a `<code data-x="http-refresh">Refresh</code>` header, then:</p>