Integrate Feature Policy: "sync-xhr"

This adds a policy-controlled feature, named 'sync-xhr', which can be disabled in a document to turn off synchronous requests for that document (and documents in all descendant frames). Calling send() on a synchronous request in a document where "sync-xhr" is disabled will result in a "NetworkError" DOMException exception being thrown. Caveat: whatwg/html#3287 which redefines "allowed to use" in HTML to be more like https://wicg.github.io/feature-policy/#allowed-to-use has not yet landed. If that takes significant time we should add a note to its usage here. Tests: xhr/xmlhttprequest-sync-default-feature-policy.sub.html in web-platform-tests. Fixes #178.
whatwg · Mar 2, 2018 · 67a423f · 67a423f
1 parent c6583e9
commit 67a423f
Showing 1 changed file with 15 additions and 2 deletions.
diff --git a/xhr.bs b/xhr.bs
@@ -136,12 +136,13 @@ community.
 <h2 id=terminology>Terminology</h2>
 
 <p>This specification uses terminology, cross-linked throughout, from DOM,
-DOM Parsing and Serialization, Encoding, Fetch, File API, HTML, HTTP, URL, Web IDL, and
-XML.
+DOM Parsing and Serialization, Encoding, Feature Policy, Fetch, File API, HTML,
+HTTP, URL, Web IDL, and XML.
 
 [[!DOM]]
 [[!DOMPS]]
 [[!ENCODING]]
+[[!FEATURE-POLICY]]
 [[!FETCH]]
 [[!FILEAPI]]
 [[!HTML]]
@@ -998,6 +999,11 @@ method must run these steps:
   <p>Otherwise, if the <a>synchronous flag</a> is set, run these substeps:
 
   <ol>
+   <li><p>If <a>context object</a>'s <a>relevant settings object</a> has a
+   <a>responsible document</a> which is <em>not</em> <a>allowed to use</a> the
+   "<code><a>sync-xhr</a></code>" feature, then run <a>handle response end-of-body</a> for a
+   <a>network error</a> and return.
+
    <li>
     <p>Let <var>response</var> be the result of
     <a for=/>fetching</a> <var>req</var>.
@@ -2007,6 +2013,12 @@ attributes initialized to false, so it is suggested that for consistency all
 {{ProgressEvent}} interface do the same.
 
 
+<h3 id=feature-policy-integration>Feature Policy Integration</h3>
+
+<p>This specification defines a <a>policy-controlled feature</a> identified by the string
+"<code><dfn>sync-xhr</dfn></code>". Its <a>default allowlist</a> is <code>*</code>.
+
+
 <h3 id=security-considerations>Security Considerations</h3>
 
 <p>For cross-origin requests some kind of opt-in, e.g. the
@@ -2100,6 +2112,7 @@ Hallvord R. M. Steen,
 Henri Sivonen,
 Hiroshige Hayashizaki,
 Huub Schaeks,
+Ian Clelland,
 Ian Davis,
 Ian Hickson,
 Ivan Herman,