Each document and each HTMLIFrameElement have a FeaturePolicy object which is
used to allow or deny features in their contexts.
FeaturePolicy is composed by a set of directives configured by the
'Feature-Policy' HTTP Header and the 'allow' attribute in HTMLIFrameElements.
Both header and attribute are parsed by FeaturePolicyParser which returns an
array of Feature objects. Each Feature object has a feature name and one of
- eNone - the feature is fully disabled.
- eAll - the feature is allowed.
- eAllowList - the feature is allowed for a list of origins.
An interesting element of FeaturePolicy is the inheritance: each context
inherits the feature-policy directives from the parent context, if it exists.
When a context inherits a policy for feature X, it only knows if that feature
is allowed or denied (it ignores the list of allowed origins for instance).
This information is stored in an array of inherited feature strings because
we care only to know when they are denied.
FeaturePolicy can be reset if the 'allow' or 'src' attributes change in
HTMLIFrameElements. 'src' attribute is important to compute correcly
the features via FeaturePolicy 'src' keyword.
When FeaturePolicy must decide if feature X is allowed or denied for the
current origin, it checks if the parent context denied that feature.
If not, it checks if there is a Feature object for that
feature named X and if the origin is allowed or not.
From a C++ point of view, use FeaturePolicyUtils to obtain the list of
features and to check if they are allowed in the current context.
dom.security.featurePolicy.header.enabled pref can be used to disable the
HTTP header support.
||IMPORTANT: Do not change this list without review from a DOM peer _AND_ a
DOM Security peer!