Bug 1598470 - Reduce number of supported features in Feature Policy r=baku

Differential Revision: https://phabricator.services.mozilla.com/D54200

--HG--
extra : moz-landing-system : lando

dom/security/featurepolicy/FeaturePolicy.cpp

@@ -234,7 +234,13 @@ void FeaturePolicy::GetAllowlistForFeature(const nsAString& aFeatureName,
 }
 
 void FeaturePolicy::MaybeSetAllowedPolicy(const nsAString& aFeatureName) {
-  MOZ_ASSERT(FeaturePolicyUtils::IsSupportedFeature(aFeatureName));
+  MOZ_ASSERT(FeaturePolicyUtils::IsSupportedFeature(aFeatureName) ||
+             FeaturePolicyUtils::IsExperimentalFeature(aFeatureName));
+  // Skip if feature is in experimental pharse
+  if (!StaticPrefs::dom_security_featurePolicy_experimental_enabled() &&
+      FeaturePolicyUtils::IsExperimentalFeature(aFeatureName)) {
+    return;
+  }
 
   if (HasDeclaredFeature(aFeatureName)) {
     return;

dom/security/featurepolicy/FeaturePolicyUtils.cpp

@@ -27,25 +27,46 @@ struct FeatureMap {
  * DOM Security peer!
  */
 static FeatureMap sSupportedFeatures[] = {
+    {"camera", FeaturePolicyUtils::FeaturePolicyValue::eSelf},
+    {"geolocation", FeaturePolicyUtils::FeaturePolicyValue::eSelf},
+    {"microphone", FeaturePolicyUtils::FeaturePolicyValue::eSelf},
+    {"display-capture", FeaturePolicyUtils::FeaturePolicyValue::eSelf},
+    {"fullscreen", FeaturePolicyUtils::FeaturePolicyValue::eSelf},
+};
+
+/*
+ * This is experimental features list, which is disabled by default by pref
+ * dom.security.featurePolicy.experimental.enabled.
+ */
+static FeatureMap sExperimentalFeatures[] = {
     // We don't support 'autoplay' for now, because it would be overwrote by
     // 'user-gesture-activation' policy. However, we can still keep it in the
     // list as we might start supporting it after we use different autoplay
     // policy.
     {"autoplay", FeaturePolicyUtils::FeaturePolicyValue::eAll},
-    {"camera", FeaturePolicyUtils::FeaturePolicyValue::eSelf},
     {"encrypted-media", FeaturePolicyUtils::FeaturePolicyValue::eAll},
-    {"fullscreen", FeaturePolicyUtils::FeaturePolicyValue::eSelf},
-    {"geolocation", FeaturePolicyUtils::FeaturePolicyValue::eSelf},
-    {"microphone", FeaturePolicyUtils::FeaturePolicyValue::eSelf},
     {"midi", FeaturePolicyUtils::FeaturePolicyValue::eSelf},
     {"payment", FeaturePolicyUtils::FeaturePolicyValue::eAll},
     {"document-domain", FeaturePolicyUtils::FeaturePolicyValue::eAll},
-    {"display-capture", FeaturePolicyUtils::FeaturePolicyValue::eSelf},
     // TODO: not supported yet!!!
     {"speaker", FeaturePolicyUtils::FeaturePolicyValue::eSelf},
     {"vr", FeaturePolicyUtils::FeaturePolicyValue::eAll},
 };
 
+/* static */
+bool FeaturePolicyUtils::IsExperimentalFeature(const nsAString& aFeatureName) {
+  uint32_t numFeatures =
+      (sizeof(sExperimentalFeatures) / sizeof(sExperimentalFeatures[0]));
+  for (uint32_t i = 0; i < numFeatures; ++i) {
+    if (aFeatureName.LowerCaseEqualsASCII(
+            sExperimentalFeatures[i].mFeatureName)) {
+      return true;
+    }
+  }
+
+  return false;
+}
+
 /* static */
 bool FeaturePolicyUtils::IsSupportedFeature(const nsAString& aFeatureName) {
   uint32_t numFeatures =
@@ -55,6 +76,12 @@ bool FeaturePolicyUtils::IsSupportedFeature(const nsAString& aFeatureName) {
       return true;
     }
   }
+
+  if (StaticPrefs::dom_security_featurePolicy_experimental_enabled() &&
+      IsExperimentalFeature(aFeatureName)) {
+    return true;
+  }
+
   return false;
 }
 
@@ -66,6 +93,14 @@ void FeaturePolicyUtils::ForEachFeature(
   for (uint32_t i = 0; i < numFeatures; ++i) {
     aCallback(sSupportedFeatures[i].mFeatureName);
   }
+
+  if (StaticPrefs::dom_security_featurePolicy_experimental_enabled()) {
+    numFeatures =
+        (sizeof(sExperimentalFeatures) / sizeof(sExperimentalFeatures[0]));
+    for (uint32_t i = 0; i < numFeatures; ++i) {
+      aCallback(sExperimentalFeatures[i].mFeatureName);
+    }
+  }
 }
 
 /* static */ FeaturePolicyUtils::FeaturePolicyValue
@@ -78,6 +113,17 @@ FeaturePolicyUtils::DefaultAllowListFeature(const nsAString& aFeatureName) {
     }
   }
 
+  if (StaticPrefs::dom_security_featurePolicy_experimental_enabled()) {
+    numFeatures =
+        (sizeof(sExperimentalFeatures) / sizeof(sExperimentalFeatures[0]));
+    for (uint32_t i = 0; i < numFeatures; ++i) {
+      if (aFeatureName.LowerCaseEqualsASCII(
+              sExperimentalFeatures[i].mFeatureName)) {
+        return sExperimentalFeatures[i].mDefaultAllowList;
+      }
+    }
+  }
+
   return FeaturePolicyValue::eNone;
 }
 
@@ -90,6 +136,12 @@ bool FeaturePolicyUtils::IsFeatureAllowed(Document* aDocument,
     return true;
   }
 
+  // Skip apply features in experimental pharse
+  if (!StaticPrefs::dom_security_featurePolicy_experimental_enabled() &&
+      IsExperimentalFeature(aFeatureName)) {
+    return true;
+  }
+
   if (!aDocument->IsHTMLDocument()) {
     return true;
   }

dom/security/featurepolicy/FeaturePolicyUtils.h

@@ -38,6 +38,9 @@ class FeaturePolicyUtils final {
   // Returns true if aFeatureName is a known feature policy name.
   static bool IsSupportedFeature(const nsAString& aFeatureName);
 
+  // Returns true if aFeatureName is a experimental feature policy name.
+  static bool IsExperimentalFeature(const nsAString& aFeatureName);
+
   // Runs aCallback for each known feature policy, with the feature name as
   // argument.
   static void ForEachFeature(const std::function<void(const char*)>& aCallback);

modules/libpref/init/StaticPrefList.yaml

@@ -2173,6 +2173,11 @@
   value: true
   mirror: always
 
+- name: dom.security.featurePolicy.experimental.enabled
+  type: bool
+  value: false
+  mirror: always
+
 # Expose the 'policy' attribute in document and HTMLIFrameElement
 - name: dom.security.featurePolicy.webidl.enabled
   type: bool

testing/web-platform/meta/encrypted-media/__dir__.ini

@@ -1,3 +1,3 @@
-prefs: [dom.security.featurePolicy.enabled:true, dom.security.featurePolicy.header.enabled:true, dom.security.featurePolicy.webidl.enabled:true]
+prefs: [dom.security.featurePolicy.enabled:true, dom.security.featurePolicy.experimental.enabled:true, dom.security.featurePolicy.header.enabled:true, dom.security.featurePolicy.webidl.enabled:true]
 lsan-allowed: [Alloc, CreateCDMProxy, MakeUnique, Malloc, NewPage, Realloc, mozilla::EMEDecryptor::EMEDecryptor, mozilla::SchedulerGroup::CreateEventTargetFor, mozilla::dom::MediaKeys::CreateCDMProxy, mozilla::dom::ContentChild::GetConstructedEventTarget]
 leak-threshold: [default:51200]

testing/web-platform/meta/feature-policy/__dir__.ini

@@ -1,2 +1,2 @@
-prefs: [dom.security.featurePolicy.enabled:true, dom.payments.request.enabled:true, dom.reporting.enabled:true, dom.reporting.featurePolicy.enabled:true, dom.security.featurePolicy.header.enabled:true, dom.security.featurePolicy.webidl.enabled:true, dom.webmidi.enabled:true, dom.vr.enabled:true]
+prefs: [dom.security.featurePolicy.enabled:true, dom.security.featurePolicy.experimental.enabled:true, dom.payments.request.enabled:true, dom.reporting.enabled:true, dom.reporting.featurePolicy.enabled:true, dom.security.featurePolicy.header.enabled:true, dom.security.featurePolicy.webidl.enabled:true, dom.webmidi.enabled:true, dom.vr.enabled:true]
 leak-threshold: [default:51200]

testing/web-platform/meta/geolocation-sensor/__dir__.ini

@@ -1 +1 @@
-prefs: [dom.security.featurePolicy.enabled:true, dom.reporting.enabled:true, dom.reporting.featurePolicy.enabled:true, dom.security.featurePolicy.header.enabled:true, dom.security.featurePolicy.webidl.enabled:true]
+prefs: [dom.security.featurePolicy.enabled:true, dom.security.featurePolicy.experimental.enabled:true, dom.reporting.enabled:true, dom.reporting.featurePolicy.enabled:true, dom.security.featurePolicy.header.enabled:true, dom.security.featurePolicy.webidl.enabled:true]

testing/web-platform/meta/html/browsers/origin/relaxing-the-same-origin-restriction/__dir__.ini

@@ -1 +1 @@
-prefs: [dom.security.featurePolicy.enabled:true]
+prefs: [dom.security.featurePolicy.enabled:true, dom.security.featurePolicy.experimental.enabled:true]

testing/web-platform/meta/html/dom/idlharness.https.html.ini

@@ -1,4 +1,4 @@
-prefs: [dom.security.featurePolicy.enabled:true, dom.security.featurePolicy.header.enabled:true, dom.security.featurePolicy.webidl.enabled:true, dom.webcomponents.elementInternals.enabled:true]
+prefs: [dom.security.featurePolicy.enabled:true, dom.security.featurePolicy.experimental.enabled:true, dom.security.featurePolicy.header.enabled:true, dom.security.featurePolicy.webidl.enabled:true, dom.webcomponents.elementInternals.enabled:true]
 [idlharness.https.html?exclude=(Document|Window|HTML.*)]
   [ElementInternals interface: operation setValidity(ValidityStateFlags, DOMString, HTMLElement)]
     expected: FAIL

testing/web-platform/meta/html/semantics/embedded-content/media-elements/__dir__.ini

@@ -1 +1 @@
-prefs: [dom.security.featurePolicy.enabled:true, dom.security.featurePolicy.header.enabled:true, dom.security.featurePolicy.webidl.enabled:true]
+prefs: [dom.security.featurePolicy.enabled:true, dom.security.featurePolicy.experimental.enabled:true, dom.security.featurePolicy.header.enabled:true, dom.security.featurePolicy.webidl.enabled:true]

testing/web-platform/meta/idle-detection/idle-detection-allowed-by-feature-policy-attribute-redirect-on-load.https.sub.html.ini

@@ -1,4 +1,4 @@
-prefs: [dom.security.featurePolicy.enabled:true]
+prefs: [dom.security.featurePolicy.enabled:true, dom.security.featurePolicy.experimental.enabled:true]
 [idle-detection-allowed-by-feature-policy-attribute-redirect-on-load.https.sub.html]
   expected: TIMEOUT
   [Attribute allow="idle-detection" in top-level frame disallows workers in cross-origin relocation.]

testing/web-platform/meta/idle-detection/idle-detection-allowed-by-feature-policy-attribute.https.sub.html.ini

@@ -1,4 +1,4 @@
-prefs: [dom.security.featurePolicy.enabled:true]
+prefs: [dom.security.featurePolicy.enabled:true, dom.security.featurePolicy.experimental.enabled:true]
 [idle-detection-allowed-by-feature-policy-attribute.https.sub.html]
   expected: TIMEOUT
   [Attribute allow="idle-detection" in top-level frame can be enabled in a worker in cross-origin iframe using Feature policy "idle-detection".]

testing/web-platform/meta/serial/__dir__.ini

@@ -1,2 +1,2 @@
-prefs: [dom.security.featurePolicy.enabled:true]
+prefs: [dom.security.featurePolicy.enabled:true, dom.security.featurePolicy.experimental.enabled:true]
 leak-threshold: [default:51200]

testing/web-platform/meta/wake-lock/__dir__.ini

@@ -1 +1 @@
-prefs: [dom.security.featurePolicy.enabled:true, dom.security.featurePolicy.header.enabled:true, dom.security.featurePolicy.webidl.enabled:true]
+prefs: [dom.security.featurePolicy.enabled:true, dom.security.featurePolicy.experimental.enabled:true, dom.security.featurePolicy.header.enabled:true, dom.security.featurePolicy.webidl.enabled:true]

testing/web-platform/meta/webusb/__dir__.ini

@@ -1,2 +1,2 @@
-prefs: [dom.security.featurePolicy.enabled:true, dom.security.featurePolicy.header.enabled:true, dom.security.featurePolicy.webidl.enabled:true]
+prefs: [dom.security.featurePolicy.enabled:true, dom.security.featurePolicy.experimental.enabled:true, dom.security.featurePolicy.header.enabled:true, dom.security.featurePolicy.webidl.enabled:true]
 lsan-allowed: [Alloc, Create, Malloc, Then, mozilla::BasePrincipal::CreateContentPrincipal, mozilla::SchedulerGroup::CreateEventTargetFor, mozilla::dom::ServiceWorkerJobQueue::RunJob, mozilla::dom::ServiceWorkerManager::Unregister, mozilla::dom::ServiceWorkerRegistrationMainThread::Unregister, mozilla::dom::UnregisterCallback::UnregisterCallback, mozilla::net::nsStandardURL::TemplatedMutator, operator]

testing/web-platform/meta/webvr/__dir__.ini

@@ -1 +1 @@
-prefs: [dom.vr.enabled:true, dom.security.featurePolicy.enabled:true, dom.security.featurePolicy.header.enabled:true, dom.security.featurePolicy.webidl.enabled:true]
+prefs: [dom.vr.enabled:true, dom.security.featurePolicy.enabled:true, dom.security.featurePolicy.experimental.enabled:true, dom.security.featurePolicy.header.enabled:true, dom.security.featurePolicy.webidl.enabled:true]