Document-Policy header

Document Policy restricts the surface area of the web platform on a per-document basis, similar to iframe sandboxing, but more flexibly. It can do things like: - Restrict the use of poorly-performing images - Disable slow synchronous JS APIs - Configure iframe, image, or script loading styles - Restrict overall document sizes or network usage - Restrict patterns which cause page re-layout This is just the HTTP header used to set a policy on a document, separate from any features.

(Mostly see the Document Policy feature for motivation) In addition to the items listed in the summary, the header will be immediately important for allowing sites to opt out of fragment and text-fragment scrolling on load, as a privacy mitigation for the Scroll-to-text-fragment feature.

Comments

The Document-Policy HTTP header configures the behavior of the web platform on documents with which it is served. This is the first part of shipping the Document Policy API; required policy negotiation and restrictions on sub-documents embedded in iframes is not included in this. This feature also does not cover any of the actual configuration policies; those will be separate features with their own launches.

Documentation

Specification

Editor's draft

Status in Chromium

Blink>FeaturePolicy


Enabled by default (tracking bug) in:

  • Chrome for desktop release 86
  • Chrome for Android release 86
  • Android WebView release 86

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

  • Neutral
  • No signal
  • No signal
  • No signals

Owner

Intent to Prototype url

Intent to Prototype thread

Last updated on 2020-09-16