You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
HTML calls "creating a feature policy" in https://html.spec.whatwg.org/#creating-a-new-browsing-context. However, the "creating a feature policy" algorithm asks whether it's operating on a nested browsing context. And, at the time that call is made, the browsing context is never a nested BC, because we're still in the process of creating it; we haven't set up the parent relationships.
whatwg/html#5583 we changed things a bit to make this setup more resilient. In particular whatwg/html@3511b20 fixed the analogous problem for the sandboxing flags.
Concretely, it looks like the algorithm should be updated to accept null or an element embedder, instead of a browsing context. And then it should pass that through to https://w3c.github.io/webappsec-feature-policy/#define-inherited-policy, which can just check if embedder is null or not, and if it is not, use embedder directly.
Then we'd update the HTML call site and remove the red box.
The text was updated successfully, but these errors were encountered:
HTML calls "creating a feature policy" in https://html.spec.whatwg.org/#creating-a-new-browsing-context. However, the "creating a feature policy" algorithm asks whether it's operating on a nested browsing context. And, at the time that call is made, the browsing context is never a nested BC, because we're still in the process of creating it; we haven't set up the parent relationships.
whatwg/html#5583 we changed things a bit to make this setup more resilient. In particular whatwg/html@3511b20 fixed the analogous problem for the sandboxing flags.
Concretely, it looks like the algorithm should be updated to accept null or an element embedder, instead of a browsing context. And then it should pass that through to https://w3c.github.io/webappsec-feature-policy/#define-inherited-policy, which can just check if embedder is null or not, and if it is not, use embedder directly.
Then we'd update the HTML call site and remove the red box.
The text was updated successfully, but these errors were encountered: