Mastodawn

Doug Parker 🕸️Dec 26, 2022

Apparently if you disable the "fullscreen" #FeaturePolicy, it disables #Chrome's built-in full screen feature for `<video />` tags.

That seems weird to me, I would think that `fullscreen 'none';` means "I will not call `.requestFullscreen()` on an element", not "No user will want to use built-in browser behaviors to full screen something".

I would think that user agent functionality would override these kinds of restrictions, and I'm surprised to see that they don't.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/fullscreen

Permissions-Policy: fullscreen - HTTP | MDN

The HTTP Permissions-Policy header fullscreen directive controls whether the current document is allowed to use Element.requestFullscreen().

MDN Web Docs

Guardian Project Aug 30, 2019

#HTTP #FeaturePolicy is a new way for websites to practice #LeastAuthority and build trust with users by disabling access to #browser APIs that are not used. Browsers already include it but the spec isn't final: it is missing a way to set the default to none. Join the discussion here https://github.com/w3c/webappsec-feature-policy/issues/189 #w3c

Proposal: define default for all · Issue #189 · w3c/webappsec-feature-policy

I propose Feature-Policy adopt Content-Security-Policy concept and be able to define all default, example: Feature-Policy: default 'none' Feature-Policy: default 'none'; fullscreen ...

Hadley Beeman May 22, 2019

We just finished discussing the evolution of #featurepolicy with @[email protected].

Should it split into 3?
• sandboxing behaviours within an iframe
• imposing conditions on the document itself, and
• dealing with permission-requiring features

@tag

https://github.com/w3ctag/design-reviews/issues/341

Feature policy evolution · Issue #341 · w3ctag/design-reviews

こんにちはTAG！ Special delivery courtesy of your request of me earlier this evening. I would like to draw your attention to two aspects of Feature policy. Feature policy itself was reviewed by the TAG w...