whatwg/xhr#322 drops the sync-xhr policy-controlled feature from XHR.
There are two references to the sync-xhr feature that should therefore be be replaced in the Permissions Policy spec:
|
new_frame.allow = 'sync-xhr'; |
|
// This will be true, as the iframe is allowed to use sync-xhr at whatever URL is |
|
// mentioned in its src attribute, even though that attribute is not yet set. |
|
const is_sync_xhr_allowed = new_frame.permissionsPolicy.allowsFeature('sync-xhr'); |
|
<div class="example"> |
|
<p>As a practical (though contrived) example, consider a document which uses |
|
synchronous XMLHttpRequest to determine whether a user has sufficient |
|
privileges to access the page:</p> |
|
|
|
<pre> |
|
<!DOCTYPE html> |
|
<h1>Welcome to SecureCorp!</h1> |
|
<script> |
|
var req = new XMLHttpRequest(); |
|
req.open("GET", "/api/security_check.json", false); |
|
req.send(); |
|
if (req.response == "untrusted user") { |
|
// User is not logged in; redirect to a safe page |
|
location.href = "/security_check_failed.html"; |
|
} |
|
</script> |
|
<!-- Page continues with assumption that user is logged in --> |
|
</pre> |
|
|
|
<p>If this document is embedded by a page which disables the |
|
"<code>sync-xhr</code>" feature, the call to `XMLHttpRequest.open()` would |
|
fail, and the security check would be bypassed.</p> |
|
</div> |
