- From: Dave Tapuska <notifications@github.com>
- Date: Wed, 22 May 2019 06:18:15 -0700
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Wednesday, 22 May 2019 13:18:38 UTC
Yes that is correct. Feature policies are what is allowed. And since the default allow list is '*' the policy is execution is allowed while outside the viewport and while not rendered. I previously proposed a [freezing name](https://github.com/dtapuska/iframe-freeze/commit/53ddce37288479e12b3f1b236742798eb280bab6) but that was not desirable in terms of the properties of inheritence. Feedback that was received was that the policy should only apply to origins that we know are good; ie. if we want to allow execution of the example.com domain but nobody else. That is a desirable property of feature policy and using a freeze name removed that property. Likewise this makes sense in terms of matching other feature policies as well. ie fullscreen feature policy is set to "fullscreen: none" to deny access to fullscreen. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/369#issuecomment-494798134
Received on Wednesday, 22 May 2019 13:18:38 UTC