--- Migrated from https://github.com/WICG/spatial-navigation/issues/58#issuecomment-437228150 Originally created by @jihyerish on *Fri, 09 Nov 2018 02:28:15 GMT* --- I agree with the feature policy is a good approach to solve the security issue in spatial navigation. By default, the focus can move to the iframe elements which are the same-origin. But for the iframe with `spatial-navigation` feature is given to `*` for the `allow` attribute (Feature Policy API), the focus can move inside the cross-origin iframe elements. Detailed approach for the feature policy would be as below: ----------------- ### Default policy: spatial-navigation 'self' ### Feature-Policy HTTP header A page can declare the spatial navigation feature in its HTTP headers as follows: ``` Feature policy: spatial-navigation 'self' ``` It means that only same-origin iframe elements are allowed for the spatial navigation. ### iframe `allow` attribute The feature can be specified for a single iframe element using allow attribute as below: ``` <iframe src="https://example.com..." allow="spatial-navigation 'none'"></iframe> ``` This will block the spatial navigation feature for the top-level and nested iframe elements. -- GitHub Notification of comment by frivoal Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/3390#issuecomment-443620290 using your GitHub accountReceived on Monday, 3 December 2018 07:58:01 UTC
This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 06:41:40 UTC