← Back to release summary

Document-Policy header

Category

Miscellaneous

Type

Chromium catches up

Status

Enabled by default (Chrome 86)

Intent stage

Prepare to ship

Summary

Document Policy restricts the surface area of the web platform on a per-document basis, similar to iframe sandboxing, but more flexibly. It can do things like: - Restrict the use of poorly-performing images - Disable slow synchronous JS APIs - Configure iframe, image, or script loading styles - Restrict overall document sizes or network usage - Restrict patterns which cause page re-layout This is just the HTTP header used to set a policy on a document, separate from any features.

Motivation

(Mostly see the Document Policy feature for motivation) In addition to the items listed in the summary, the header will be immediately important for allowing sites to opt out of fragment and text-fragment scrolling on load, as a privacy mitigation for the Scroll-to-text-fragment feature.

Standards & signals

• Specification: https://w3c.github.io/webappsec-permissions-policy/document-policy.html
• Firefox: Neutral — Mozilla's official position on this is "non-harmful", though they have been involved in the design and direction of this API since its inception and split from Feature Policy.
• Safari: No signal
• Web developers: No signals
• Tracking bug: https://bugs.chromium.org/p/chromium/issues/detail?id=993790

Docs: https://w3c.github.io/webappsec-permissions-policy/document-policy.html https://github.com/w3c/webappsec-permissions-policy/blob/master/document-policy-explainer.md

Explainers: https://github.com/w3c/webappsec-permissions-policy/blob/master/document-policy-explainer.md

View on chromestatus.com