Description
There are a number of places in the web platform where some policy or state is inherited from one context to another. Its up to each feature in the platform to define how it gets inherited or not. The result is that there are a number of inconsistent inheritance behaviors.
Some downsides of this inconsistent behavior are:
- Confusing API surface for developers.
- Special case logic is required in implementations resulting in brittleness and increased security risk. (Many of the policies have security implications.)
- Increased cost to specifying a new feature because inheritance must be figured out again for each feature individually.
It might be nice to have some guidance on how inheritance should work on the web platform to produce a more consistent system.
Off the top of my head I can think of the following types of inheritance:
- origin: Local URLs like about:blank, about:srcdoc, and blob: inherit the origin from another context. The about: URLs inherit from their parent context while blob: URLs inherit from the context where
createObjectURL()was called. - service worker controller: The service worker group decided to inherit the controller from the parent context to any local URL of the same origin. So about:blank, about:srcdoc, and blob: URL contexts inherit the controlling worker from their parent. Note, this deviates from how the origin for the blob: URL is inherited. See Should an IFRAME without src be controlled by SW when its parent is controlled? w3c/ServiceWorker#612, should blob URLs inherit controller from parent environment or environment that called
createObjectURL()? w3c/ServiceWorker#1261, should a frame navigated to about:blank inherit a service worker controller? w3c/ServiceWorker#1350. - CSP: I believe the latest spec requires CSP to be inherited not just for local URLs, but also sometimes for contexts with a non-local URL. For example, it defines that dedicated workers should inherit CSP from their document, but does not apply this inheritance to iframes or other worker types. There has been a request from mozilla to possibly change the spec here. See Should Workers inherit CSP directives from the parent context? w3c/webappsec-csp#336.
- feature policy: The feature policy spec is also discussing possibly inheriting just for dedicated workers similar to CSP. See Add Feature Policy for workers w3c/webappsec-permissions-policy#174.
- referrer policy: I believe referrer policy is inherited from documents to a dedicated worker, but I'm less sure about this one.
There are probably more cases to consider.
My personal preference would be to make all inheritable attributes align to the same source. So if a local URL inherits an origin from a context, then all other attributes are inherited from that same source context. If a context has its own URL that defines its own origin, then nothing is inherited from other contexts.
Thanks for your help sorting this out!