Bug 183292 - Restrict usage of synchronous XMLHttpRequest by feature policy
Summary: Restrict usage of synchronous XMLHttpRequest by feature policy
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: DOM (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified All
: P2 Normal
Assignee: Nobody
Depends on:
Blocks: 183300
  Show dependency treegraph
Reported: 2018-03-02 09:35 PST by Ian Clelland
Modified: 2018-08-27 22:03 PDT (History)
6 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Ian Clelland 2018-03-02 09:35:00 PST
XMLHttpRequest objects can have their behavior controlled by feature policy
(https://github.com/whatwg/xhr/pull/177, not merged yet)

If the policy in the active document disallows the 'sync-xhr' feature, then calling .send() on the XMLHttpRequest object should throw a NetworkError (and ideally log a message to the developer console)

Demo: https://xhr.featurepolicy.rocks/
GitHub issue: https://github.com/whatwg/xhr/issues/178
Web Platform Tests: https://wpt.fyi/xhr/xmlhttprequest-sync-default-feature-policy.sub.html

Feature policy itself has been partially implemented as part of https://bugs.webkit.org/show_bug.cgi?id=167430, but I haven't found another bug for the rest of the implementation. Let me know if I should file that as well.
Comment 1 youenn fablet 2018-03-02 09:46:55 PST
Hi Ian,

I guess that if there are other bugs related to feature policy that are filed, maybe having an umbrella bug might be useful.

The current feature policy "implementation" is minimal in that it only checks for the iframe attribute, (no headers checking) and is specific to media capture.
Comment 2 Ian Clelland 2018-03-02 13:21:04 PST
Thanks, Youenn --- I filed https://bugs.webkit.org/show_bug.cgi?id=183300; I'm not sure if bugzilla allows me to declare a dependency of this bug on that one.