Add Permissions Policy integration with "allowed to use" check

[MayyaSunil]

Resolves issue #37 by adding proper Permissions Policy integration to the Local Network Access check algorithm

Changes:

• Replace TODO with normative algorithm steps for permission checking in the Local Network Access check algorithm
• Add "allowed to use" check to verify the "local-network-access" policy-controlled feature is allowed before checking permission state (refer comment)
• Add anchor definition for HTML spec's "associated Document" term

---

Preview | Diff

[MayyaSunil]

This still assumes a single permission model and will be modifed once #17 is resolved.

[christhompson]

Thanks for fleshing out this TODO! Overall this LGTM with a couple comments.

[christhompson]

I think this is a strict subset of step 2 above and can be cut.

[christhompson]

We'll want to specify the behavior for Workers here at some point, but I think okay to punt.

IIRC for Dedicated Workers and Shared Workers, the associated Document should be well defined (although we might need to traverse up the tree of global objects to get to the owning Window for the case of nested workers?), but for Service Workers the associated Document is only defined if we have a window client. It might be worth flagging this as a TODO here (and that permissions policy isn't supported in workers w3c/webappsec-permissions-policy#207).

(This gives rise to the current behavior in Chromium where we don't even try to get at the service worker's window client, since no such window client may exist if the service worker is running in the background, and instead rely on checking whether the LNA permission has been granted to the service worker's script URL.)

[annevk]

That's also technically the case for shared workers. We also don't let shared/service workers look up an owning document as it is inherently racy.

[christhompson]

That's also technically the case for shared workers. We also don't let shared/service workers look up an owning document as it is inherently racy.

Right, and I realize that matches Chromium's implementation currently (we get the document for Dedicated Workers but Shared Workers are treated the same as Service Workers).

There's some precedent for doing this on a best-effort basis in Chromium -- we do it for client cert selection for example (looking up by window ID from the worker context, if we have that information).

It seems like there is some desire for this from developers for LNA, even if it doesn't always work. I do feel like we're maybe treading new ground for permissions-in-workers in many ways though, and for now the "must pre-grant the permission to the worker origin" seems "good enough" maybe? Opinions very welcome on this area.

[annevk]

I would prefer not doing anything magical/new for shared/service workers. We probably have to go through some scenarios to see how to best tackle them.

[christhompson]

LGTM!

[annevk]

This does seem to further cement using a single permission btw. Given the revived interest in #17 perhaps it's a bit weird to merge this as-is?

[MayyaSunil]

right @annevk, as mentioned here my initial plan was to re-write this after #17 is resolved. After #17 is resolved we need to modify the spec text in a lot of places including here.

[MayyaSunil]

@christhompson @annevk, do you want me to re-write this patch with fine-grained permissions (with names we all agreed to i.e., local-network and loopback-network) or we merge this patch as is and visit this after #17 is resolved?