- From: Florian Rivoal via GitHub <sysbot+gh@w3.org>
- Date: Mon, 03 Dec 2018 07:42:06 +0000
- To: public-css-archive@w3.org
--- Migrated from https://github.com/WICG/spatial-navigation/issues/58#issuecomment-437228150 Originally created by @jihyerish on *Fri, 09 Nov 2018 02:28:15 GMT* --- I agree with the feature policy is a good approach to solve the security issue in spatial navigation. By default, the focus can move to the iframe elements which are the same-origin. But for the iframe with `spatial-navigation` feature is given to `*` for the `allow` attribute (Feature Policy API), the focus can move inside the cross-origin iframe elements. Detailed approach for the feature policy would be as below: ----------------- ### Default policy: spatial-navigation 'self' ### Feature-Policy HTTP header A page can declare the spatial navigation feature in its HTTP headers as follows: ``` Feature policy: spatial-navigation 'self' ``` It means that only same-origin iframe elements are allowed for the spatial navigation. ### iframe `allow` attribute The feature can be specified for a single iframe element using allow attribute as below: ``` <iframe src="https://example.com..." allow="spatial-navigation 'none'"></iframe> ``` This will block the spatial navigation feature for the top-level and nested iframe elements. -- GitHub Notification of comment by frivoal Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/3360#issuecomment-443616375 using your GitHub account
Received on Monday, 3 December 2018 07:42:16 UTC