Adding upstream version 124.0.1.upstream/124.0.1

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

5 files changed, 482 insertions, 0 deletions

diff --git a/dom/security/featurepolicy/test/mochitest/empty.html b/dom/security/featurepolicy/test/mochitest/empty.html
new file mode 100644
index 0000000000..64355e7d19
--- /dev/null
+++ b/dom/security/featurepolicy/test/mochitest/empty.html
@@ -0,0 +1 @@
+Nothing here
diff --git a/dom/security/featurepolicy/test/mochitest/mochitest.toml b/dom/security/featurepolicy/test/mochitest/mochitest.toml
new file mode 100644
index 0000000000..c621331596
--- /dev/null
+++ b/dom/security/featurepolicy/test/mochitest/mochitest.toml
@@ -0,0 +1,14 @@
+[DEFAULT]
+prefs = [
+  "dom.security.featurePolicy.header.enabled=true",
+  "dom.security.featurePolicy.webidl.enabled=true",
+]
+support-files = [
+  "empty.html",
+  "test_parser.html^headers^",
+]
+
+["test_featureList.html"]
+
+["test_parser.html"]
+fail-if = ["xorigin"]
diff --git a/dom/security/featurepolicy/test/mochitest/test_featureList.html b/dom/security/featurepolicy/test/mochitest/test_featureList.html
new file mode 100644
index 0000000000..8a518da653
--- /dev/null
+++ b/dom/security/featurepolicy/test/mochitest/test_featureList.html
@@ -0,0 +1,48 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Test feature policy - list</title>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<iframe src="empty.html" id="ifr"></iframe>
+<script type="text/javascript">
+
+let supportedFeatures = [
+  "autoplay",
+  "camera",
+  "encrypted-media",
+  "fullscreen",
+  "gamepad",
+  "geolocation",
+  "microphone",
+  "midi",
+  "payment",
+  "publickey-credentials-create",
+  "publickey-credentials-get",
+  "storage-access",
+  "display-capture",
+  "document-domain",
+  "speaker-selection",
+  "vr",
+  "web-share",
+  "screen-wake-lock",
+];
+
+function checkFeatures(features) {
+  features.forEach(feature => {
+    ok(supportedFeatures.includes(feature), "Feature: " + feature);
+  });
+}
+
+ok("featurePolicy" in document, "We have document.featurePolicy");
+checkFeatures(document.featurePolicy.features());
+
+let ifr = document.getElementById("ifr");
+ok("featurePolicy" in ifr, "We have HTMLIFrameElement.featurePolicy");
+checkFeatures(ifr.featurePolicy.features());
+
+</script>
+</body>
+</html>
diff --git a/dom/security/featurepolicy/test/mochitest/test_parser.html b/dom/security/featurepolicy/test/mochitest/test_parser.html
new file mode 100644
index 0000000000..a8322f6e7d
--- /dev/null
+++ b/dom/security/featurepolicy/test/mochitest/test_parser.html
@@ -0,0 +1,418 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Test feature policy - parsing</title>
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<iframe src="empty.html" id="ifr"></iframe>
+<iframe src="https://example.org/tests/dom/security/featurePolicy/test/mochitest/empty.html" id="cross_ifr"></iframe>
+<script type="text/javascript">
+
+SimpleTest.waitForExplicitFinish();
+
+const CROSS_ORIGIN = "https://example.org";
+
+function test_document() {
+  info("Checking document.featurePolicy");
+  ok("featurePolicy" in document, "We have document.featurePolicy");
+
+  ok(!document.featurePolicy.allowsFeature("foobar"), "Random feature");
+  ok(!document.featurePolicy.allowsFeature("foobar", "https://www.something.net"), "Random feature");
+
+  ok(document.featurePolicy.allowsFeature("camera"), "Camera is allowed for self");
+  ok(document.featurePolicy.allowsFeature("camera", "https://foo.bar"), "Camera is always allowed");
+  let allowed = document.featurePolicy.getAllowlistForFeature("camera");
+  is(allowed.length, 1, "Only 1 entry in allowlist for camera");
+  is(allowed[0], "*", "allowlist is *");
+
+  ok(document.featurePolicy.allowsFeature("geolocation"), "Geolocation is allowed for self");
+  ok(document.featurePolicy.allowsFeature("geolocation", location.origin), "Geolocation is allowed for self");
+  ok(!document.featurePolicy.allowsFeature("geolocation", "https://foo.bar"), "Geolocation is not allowed for any random URL");
+  allowed = document.featurePolicy.getAllowlistForFeature("geolocation");
+  is(allowed.length, 1, "Only 1 entry in allowlist for geolocation");
+  is(allowed[0], location.origin, "allowlist is self");
+
+  ok(!document.featurePolicy.allowsFeature("microphone"), "Microphone is disabled for self");
+  ok(!document.featurePolicy.allowsFeature("microphone", location.origin), "Microphone is disabled for self");
+  ok(!document.featurePolicy.allowsFeature("microphone", "https://foo.bar"), "Microphone is disabled for foo.bar");
+  ok(document.featurePolicy.allowsFeature("microphone", "https://example.com"), "Microphone is allowed for example.com");
+  ok(document.featurePolicy.allowsFeature("microphone", "https://example.org"), "Microphone is allowed for example.org");
+  allowed = document.featurePolicy.getAllowlistForFeature("microphone");
+  is(allowed.length, 0, "No allowlist for microphone");
+
+  ok(!document.featurePolicy.allowsFeature("vr"), "Vibrate is disabled for self");
+  ok(!document.featurePolicy.allowsFeature("vr", location.origin), "Vibrate is disabled for self");
+  ok(!document.featurePolicy.allowsFeature("vr", "https://foo.bar"), "Vibrate is disabled for foo.bar");
+  allowed = document.featurePolicy.getAllowlistForFeature("vr");
+  is(allowed.length, 0, "No allowlist for vr");
+
+  allowed = document.featurePolicy.allowedFeatures();
+  // microphone is disabled for this origin, vr is disabled everywhere.
+  let camera = false;
+  let geolocation = false;
+  allowed.forEach(a => {
+    if (a == "camera") camera = true;
+    if (a == "geolocation") geolocation = true;
+  });
+
+  ok(camera, "Camera is always allowed");
+  ok(geolocation, "Geolocation is allowed only for self");
+
+  next();
+}
+
+function test_iframe_without_allow() {
+  info("Checking HTMLIFrameElement.featurePolicy");
+  let ifr = document.getElementById("ifr");
+  ok("featurePolicy" in ifr, "HTMLIFrameElement.featurePolicy exists");
+
+  ok(!ifr.featurePolicy.allowsFeature("foobar"), "Random feature");
+  ok(!ifr.featurePolicy.allowsFeature("foobar", "https://www.something.net"), "Random feature");
+
+  ok(ifr.featurePolicy.allowsFeature("camera"), "Camera is allowed for self");
+  ok(ifr.featurePolicy.allowsFeature("camera", location.origin), "Camera is allowed for self");
+  ok(!ifr.featurePolicy.allowsFeature("camera", "https://foo.bar"), "Camera is not allowed for a random URL");
+  let allowed = ifr.featurePolicy.getAllowlistForFeature("camera");
+  is(allowed.length, 1, "Only 1 entry in allowlist for camera");
+  is(allowed[0], location.origin, "allowlist is 'self'");
+
+  ok(ifr.featurePolicy.allowsFeature("geolocation"), "Geolocation is allowed for self");
+  ok(ifr.featurePolicy.allowsFeature("geolocation", location.origin), "Geolocation is allowed for self");
+  ok(!ifr.featurePolicy.allowsFeature("geolocation", "https://foo.bar"), "Geolocation is not allowed for any random URL");
+  allowed = ifr.featurePolicy.getAllowlistForFeature("geolocation");
+  is(allowed.length, 1, "Only 1 entry in allowlist for geolocation");
+  is(allowed[0], location.origin, "allowlist is '*'");
+
+  ok(!ifr.featurePolicy.allowsFeature("microphone"), "Microphone is disabled for self");
+  ok(!ifr.featurePolicy.allowsFeature("microphone", location.origin), "Microphone is disabled for self");
+  ok(!ifr.featurePolicy.allowsFeature("microphone", "https://foo.bar"), "Microphone is disabled for foo.bar");
+  ok(!ifr.featurePolicy.allowsFeature("microphone", "https://example.com"), "Microphone is disabled for example.com");
+  ok(!ifr.featurePolicy.allowsFeature("microphone", "https://example.org"), "Microphone is disabled for example.org");
+  allowed = ifr.featurePolicy.getAllowlistForFeature("microphone");
+  is(allowed.length, 0, "No allowlist for microphone");
+
+  ok(!ifr.featurePolicy.allowsFeature("vr"), "Vibrate is disabled for self");
+  ok(!ifr.featurePolicy.allowsFeature("vr", location.origin), "Vibrate is disabled for self");
+  ok(!ifr.featurePolicy.allowsFeature("vr", "https://foo.bar"), "Vibrate is disabled for foo.bar");
+  allowed = ifr.featurePolicy.getAllowlistForFeature("vr");
+  is(allowed.length, 0, "No allowlist for vr");
+
+  ok(ifr.featurePolicy.allowedFeatures().includes("camera"), "Camera is allowed");
+  ok(ifr.featurePolicy.allowedFeatures().includes("geolocation"), "Geolocation is allowed");
+  // microphone is disabled for this origin
+  ok(!ifr.featurePolicy.allowedFeatures().includes("microphone"), "microphone is not allowed");
+  // vr is disabled everywhere.
+  ok(!ifr.featurePolicy.allowedFeatures().includes("vr"), "VR is not allowed");
+
+  next();
+}
+
+function test_iframe_with_allow() {
+  info("Checking HTMLIFrameElement.featurePolicy");
+  let ifr = document.getElementById("ifr");
+  ok("featurePolicy" in ifr, "HTMLIFrameElement.featurePolicy exists");
+
+  ifr.setAttribute("allow", "camera 'none'");
+
+  ok(!ifr.featurePolicy.allowsFeature("foobar"), "Random feature");
+  ok(!ifr.featurePolicy.allowsFeature("foobar", "https://www.something.net"), "Random feature");
+
+  ok(!ifr.featurePolicy.allowsFeature("camera"), "Camera is not allowed");
+  let allowed = ifr.featurePolicy.getAllowlistForFeature("camera");
+  is(allowed.length, 0, "Camera has an empty allowlist");
+
+  ok(ifr.featurePolicy.allowsFeature("geolocation"), "Geolocation is allowed for self");
+  ok(ifr.featurePolicy.allowsFeature("geolocation", location.origin), "Geolocation is allowed for self");
+  ok(!ifr.featurePolicy.allowsFeature("geolocation", "https://foo.bar"), "Geolocation is not allowed for any random URL");
+  allowed = ifr.featurePolicy.getAllowlistForFeature("geolocation");
+  is(allowed.length, 1, "Only 1 entry in allowlist for geolocation");
+  is(allowed[0], location.origin, "allowlist is '*'");
+
+  ok(!ifr.featurePolicy.allowsFeature("microphone"), "Microphone is disabled for self");
+  ok(!ifr.featurePolicy.allowsFeature("microphone", location.origin), "Microphone is disabled for self");
+  ok(!ifr.featurePolicy.allowsFeature("microphone", "https://foo.bar"), "Microphone is disabled for foo.bar");
+  ok(!ifr.featurePolicy.allowsFeature("microphone", "https://example.com"), "Microphone is disabled for example.com");
+  ok(!ifr.featurePolicy.allowsFeature("microphone", "https://example.org"), "Microphone is disabled for example.org");
+  allowed = ifr.featurePolicy.getAllowlistForFeature("microphone");
+  is(allowed.length, 0, "No allowlist for microphone");
+
+  ok(!ifr.featurePolicy.allowsFeature("vr"), "Vibrate is disabled for self");
+  ok(!ifr.featurePolicy.allowsFeature("vr", location.origin), "Vibrate is disabled for self");
+  ok(!ifr.featurePolicy.allowsFeature("vr", "https://foo.bar"), "Vibrate is disabled for foo.bar");
+  allowed = ifr.featurePolicy.getAllowlistForFeature("vr");
+  is(allowed.length, 0, "No allowlist for vr");
+
+  ok(ifr.featurePolicy.allowedFeatures().includes("geolocation"), "Geolocation is allowed only for self");
+
+  next();
+}
+
+function test_iframe_contentDocument() {
+  info("Checking iframe document.featurePolicy");
+
+  let ifr = document.createElement("iframe");
+  ifr.setAttribute("src", "empty.html");
+  ifr.onload = function() {
+    ok("featurePolicy" in ifr.contentDocument, "We have ifr.contentDocument.featurePolicy");
+
+    ok(!ifr.contentDocument.featurePolicy.allowsFeature("foobar"), "Random feature");
+    ok(!ifr.contentDocument.featurePolicy.allowsFeature("foobar", "https://www.something.net"), "Random feature");
+
+    ok(ifr.contentDocument.featurePolicy.allowsFeature("camera"), "Camera is allowed for self");
+    ok(ifr.contentDocument.featurePolicy.allowsFeature("camera", location.origin), "Camera is allowed for self");
+    ok(!ifr.contentDocument.featurePolicy.allowsFeature("camera", "https://foo.bar"), "Camera is allowed for self");
+    let allowed = ifr.contentDocument.featurePolicy.getAllowlistForFeature("camera");
+    is(allowed.length, 1, "Only 1 entry in allowlist for camera");
+    is(allowed[0], location.origin, "allowlist is 'self'");
+
+    ok(ifr.featurePolicy.allowsFeature("geolocation"), "Geolocation is allowed for self");
+    ok(ifr.featurePolicy.allowsFeature("geolocation", location.origin), "Geolocation is allowed for self");
+    ok(!ifr.featurePolicy.allowsFeature("geolocation", "https://foo.bar"), "Geolocation is not allowed for any random URL");
+    allowed = ifr.featurePolicy.getAllowlistForFeature("geolocation");
+    is(allowed.length, 1, "Only 1 entry in allowlist for geolocation");
+    is(allowed[0], location.origin, "allowlist is '*'");
+
+    ok(!ifr.contentDocument.featurePolicy.allowsFeature("microphone"), "Microphone is disabled for self");
+    ok(!ifr.contentDocument.featurePolicy.allowsFeature("microphone", location.origin), "Microphone is disabled for self");
+    ok(!ifr.contentDocument.featurePolicy.allowsFeature("microphone", "https://foo.bar"), "Microphone is disabled for foo.bar");
+    ok(!ifr.contentDocument.featurePolicy.allowsFeature("microphone", "https://example.com"), "Microphone is allowed for example.com");
+    ok(!ifr.contentDocument.featurePolicy.allowsFeature("microphone", "https://example.org"), "Microphone is allowed for example.org");
+    allowed = ifr.contentDocument.featurePolicy.getAllowlistForFeature("microphone");
+    is(allowed.length, 0, "No allowlist for microphone");
+
+    ok(!ifr.contentDocument.featurePolicy.allowsFeature("vr"), "Vibrate is disabled for self");
+    ok(!ifr.contentDocument.featurePolicy.allowsFeature("vr", location.origin), "Vibrate is disabled for self");
+    ok(!ifr.contentDocument.featurePolicy.allowsFeature("vr", "https://foo.bar"), "Vibrate is disabled for foo.bar");
+    allowed = ifr.contentDocument.featurePolicy.getAllowlistForFeature("vr");
+    is(allowed.length, 0, "No allowlist for vr");
+
+    ok(ifr.contentDocument.featurePolicy.allowedFeatures().includes("camera"), "Camera is allowed");
+    ok(ifr.contentDocument.featurePolicy.allowedFeatures().includes("geolocation"), "Geolocation is allowed");
+    // microphone is disabled for this origin
+    ok(!ifr.contentDocument.featurePolicy.allowedFeatures().includes("microphone"), "Microphone is not allowed");
+    // vr is disabled everywhere.
+    ok(!ifr.contentDocument.featurePolicy.allowedFeatures().includes("vr"), "VR is not allowed");
+
+    next();
+  };
+  document.body.appendChild(ifr);
+}
+
+function test_cross_iframe_without_allow() {
+  info("Checking cross HTMLIFrameElement.featurePolicy no allow");
+  let ifr = document.getElementById("cross_ifr");
+  ok("featurePolicy" in ifr, "HTMLIFrameElement.featurePolicy exists");
+
+  ok(!ifr.featurePolicy.allowsFeature("foobar"), "Random feature");
+  ok(!ifr.featurePolicy.allowsFeature("foobar", "https://www.something.net"), "Random feature");
+
+  ok(ifr.featurePolicy.allowsFeature("camera"), "Camera is allowed for self");
+  ok(ifr.featurePolicy.allowsFeature("camera", CROSS_ORIGIN), "Camera is allowed for self");
+  ok(!ifr.featurePolicy.allowsFeature("camera", "https://foo.bar"), "Camera is not allowed for a random URL");
+  let allowed = ifr.featurePolicy.getAllowlistForFeature("camera");
+  is(allowed.length, 1, "Only 1 entry in allowlist for camera");
+  is(allowed[0], CROSS_ORIGIN, "allowlist is 'self'");
+
+  ok(!ifr.featurePolicy.allowsFeature("geolocation"), "Geolocation is not allowed for self");
+  ok(!ifr.featurePolicy.allowsFeature("geolocation", CROSS_ORIGIN),
+    "Geolocation is not allowed for self");
+  ok(!ifr.featurePolicy.allowsFeature("geolocation", "https://foo.bar"), "Geolocation is not allowed for any random URL");
+  allowed = ifr.featurePolicy.getAllowlistForFeature("geolocation");
+  is(allowed.length, 0, "No allowlist for geolocation");
+
+  ok(ifr.featurePolicy.allowsFeature("microphone"), "Microphone is enabled for self");
+  ok(ifr.featurePolicy.allowsFeature("microphone", CROSS_ORIGIN), "Microphone is enabled for self");
+  ok(!ifr.featurePolicy.allowsFeature("microphone", "https://foo.bar"), "Microphone is disabled for foo.bar");
+  ok(!ifr.featurePolicy.allowsFeature("microphone", "https://example.com"), "Microphone is disabled for example.com");
+  allowed = ifr.featurePolicy.getAllowlistForFeature("microphone");
+  is(allowed.length, 1, "Only 1 entry in allowlist for microphone");
+  is(allowed[0], CROSS_ORIGIN, "allowlist is self");
+
+  ok(!ifr.featurePolicy.allowsFeature("vr"), "Vibrate is disabled for self");
+  ok(!ifr.featurePolicy.allowsFeature("vr", CROSS_ORIGIN), "Vibrate is disabled for self");
+  ok(!ifr.featurePolicy.allowsFeature("vr", "https://foo.bar"), "Vibrate is disabled for foo.bar");
+  allowed = ifr.featurePolicy.getAllowlistForFeature("vr");
+  is(allowed.length, 0, "No allowlist for vr");
+
+  ok(ifr.featurePolicy.allowedFeatures().includes("camera"), "Camera is allowed");
+  ok(!ifr.featurePolicy.allowedFeatures().includes("geolocation"), "Geolocation is not allowed");
+  // microphone is enabled for this origin
+  ok(ifr.featurePolicy.allowedFeatures().includes("microphone"), "microphone is allowed");
+  // vr is disabled everywhere.
+  ok(!ifr.featurePolicy.allowedFeatures().includes("vr"), "VR is not allowed");
+
+  next();
+}
+
+function test_cross_iframe_with_allow() {
+  info("Checking cross HTMLIFrameElement.featurePolicy with allow");
+  let ifr = document.getElementById("cross_ifr");
+  ok("featurePolicy" in ifr, "HTMLIFrameElement.featurePolicy exists");
+
+  ifr.setAttribute("allow", "geolocation; camera 'none'");
+
+  ok(!ifr.featurePolicy.allowsFeature("foobar"), "Random feature");
+  ok(!ifr.featurePolicy.allowsFeature("foobar", "https://www.something.net"), "Random feature");
+
+  ok(!ifr.featurePolicy.allowsFeature("camera"), "Camera is not allowed");
+  let allowed = ifr.featurePolicy.getAllowlistForFeature("camera");
+  is(allowed.length, 0, "Camera has an empty allowlist");
+
+  ok(ifr.featurePolicy.allowsFeature("geolocation"), "Geolocation is allowed for self");
+  ok(ifr.featurePolicy.allowsFeature("geolocation", CROSS_ORIGIN), "Geolocation is allowed for self");
+  ok(!ifr.featurePolicy.allowsFeature("geolocation", "https://foo.bar"), "Geolocation is not allowed for any random URL");
+  allowed = ifr.featurePolicy.getAllowlistForFeature("geolocation");
+  is(allowed.length, 1, "Only 1 entry in allowlist for geolocation");
+  is(allowed[0], CROSS_ORIGIN, "allowlist is '*'");
+
+  ok(ifr.featurePolicy.allowsFeature("microphone"), "Microphone is enabled for self");
+  ok(ifr.featurePolicy.allowsFeature("microphone", CROSS_ORIGIN), "Microphone is enabled for self");
+  ok(!ifr.featurePolicy.allowsFeature("microphone", "https://foo.bar"), "Microphone is disabled for foo.bar");
+  ok(!ifr.featurePolicy.allowsFeature("microphone", "https://example.com"), "Microphone is disabled for example.com");
+  allowed = ifr.featurePolicy.getAllowlistForFeature("microphone");
+  is(allowed.length, 1, "Only 1 entry in allowlist for microphone");
+  is(allowed[0], CROSS_ORIGIN, "allowlist is self");
+
+  ok(!ifr.featurePolicy.allowsFeature("vr"), "Vibrate is disabled for self");
+  ok(!ifr.featurePolicy.allowsFeature("vr", CROSS_ORIGIN), "Vibrate is disabled for self");
+  ok(!ifr.featurePolicy.allowsFeature("vr", "https://foo.bar"), "Vibrate is disabled for foo.bar");
+  allowed = ifr.featurePolicy.getAllowlistForFeature("vr");
+  is(allowed.length, 0, "No allowlist for vr");
+
+  ok(ifr.featurePolicy.allowedFeatures().includes("geolocation"), "Geolocation is allowed only for self");
+  // microphone is enabled for this origin
+  ok(ifr.featurePolicy.allowedFeatures().includes("microphone"), "microphone is allowed");
+
+  next();
+}
+
+function test_cross_iframe_contentDocument_no_allow() {
+  info("Checking cross iframe document.featurePolicy no allow");
+
+  let ifr = document.createElement("iframe");
+  ifr.setAttribute("src", "https://example.org/tests/dom/security/featurePolicy/test/mochitest/empty.html");
+  ifr.onload = async function() {
+    await SpecialPowers.spawn(ifr, [], () => {
+      Assert.ok("featurePolicy" in this.content.document, "We have this.content.document.featurePolicy");
+
+      Assert.ok(!this.content.document.featurePolicy.allowsFeature("foobar"), "Random feature");
+      Assert.ok(!this.content.document.featurePolicy.allowsFeature("foobar", "https://www.something.net"), "Random feature");
+
+      Assert.ok(this.content.document.featurePolicy.allowsFeature("camera"), "Camera is allowed for self");
+      Assert.ok(this.content.document.featurePolicy.allowsFeature("camera", "https://example.org"), "Camera is allowed for self");
+      Assert.ok(!this.content.document.featurePolicy.allowsFeature("camera", "https://foo.bar"), "Camera is not allowed for a random URL");
+      let allowed = this.content.document.featurePolicy.getAllowlistForFeature("camera");
+      Assert.equal(allowed.length, 1, "Only 1 entry in allowlist for camera");
+      Assert.equal(allowed[0], "https://example.org", "allowlist is 'self'");
+
+      Assert.ok(!this.content.document.featurePolicy.allowsFeature("geolocation"), "Geolocation is not allowed for self");
+      Assert.ok(!this.content.document.featurePolicy.allowsFeature("geolocation", "https://example.org"),
+        "Geolocation is not allowed for self");
+      Assert.ok(!this.content.document.featurePolicy.allowsFeature("geolocation", "https://foo.bar"), "Geolocation is not allowed for any random URL");
+      allowed = this.content.document.featurePolicy.getAllowlistForFeature("geolocation");
+      Assert.equal(allowed.length, 0, "No allowlist for geolocation");
+
+      Assert.ok(this.content.document.featurePolicy.allowsFeature("microphone"), "Microphone is enabled for self");
+      Assert.ok(this.content.document.featurePolicy.allowsFeature("microphone", "https://example.org"), "Microphone is enabled for self");
+      Assert.ok(!this.content.document.featurePolicy.allowsFeature("microphone", "https://foo.bar"), "Microphone is disabled for foo.bar");
+      Assert.ok(!this.content.document.featurePolicy.allowsFeature("microphone", "https://example.com"), "Microphone is disabled for example.com");
+      allowed = this.content.document.featurePolicy.getAllowlistForFeature("microphone");
+      Assert.equal(allowed.length, 1, "Only 1 entry in allowlist for microphone");
+      Assert.equal(allowed[0], "https://example.org", "allowlist is self");
+
+      Assert.ok(!this.content.document.featurePolicy.allowsFeature("vr"), "Vibrate is disabled for self");
+      Assert.ok(!this.content.document.featurePolicy.allowsFeature("vr", "https://example.org"), "Vibrate is disabled for self");
+      Assert.ok(!this.content.document.featurePolicy.allowsFeature("vr", "https://foo.bar"), "Vibrate is disabled for foo.bar");
+      allowed = this.content.document.featurePolicy.getAllowlistForFeature("vr");
+      Assert.equal(allowed.length, 0, "No allowlist for vr");
+
+      Assert.ok(this.content.document.featurePolicy.allowedFeatures().includes("camera"), "Camera is allowed");
+      Assert.ok(!this.content.document.featurePolicy.allowedFeatures().includes("geolocation"), "Geolocation is not allowed");
+      // microphone is enabled for this origin
+      Assert.ok(this.content.document.featurePolicy.allowedFeatures().includes("microphone"), "microphone is allowed");
+      // vr is disabled everywhere.
+      Assert.ok(!this.content.document.featurePolicy.allowedFeatures().includes("vr"), "VR is not allowed");
+    });
+
+    next();
+  };
+  document.body.appendChild(ifr);
+}
+
+function test_cross_iframe_contentDocument_allow() {
+  info("Checking cross iframe document.featurePolicy with allow");
+
+  let ifr = document.createElement("iframe");
+  ifr.setAttribute("src", "https://example.org/tests/dom/security/featurePolicy/test/mochitest/empty.html");
+  ifr.setAttribute("allow", "geolocation; camera 'none'");
+  ifr.onload = async function() {
+    await SpecialPowers.spawn(ifr, [], () => {
+      Assert.ok("featurePolicy" in this.content.document, "We have this.content.document.featurePolicy");
+
+      Assert.ok(!this.content.document.featurePolicy.allowsFeature("foobar"), "Random feature");
+      Assert.ok(!this.content.document.featurePolicy.allowsFeature("foobar", "https://www.something.net"), "Random feature");
+
+      Assert.ok(!this.content.document.featurePolicy.allowsFeature("camera"), "Camera is not allowed");
+      let allowed = this.content.document.featurePolicy.getAllowlistForFeature("camera");
+      Assert.equal(allowed.length, 0, "Camera has an empty allowlist");
+
+      Assert.ok(this.content.document.featurePolicy.allowsFeature("geolocation"), "Geolocation is allowed for self");
+      Assert.ok(this.content.document.featurePolicy.allowsFeature("geolocation", "https://example.org"), "Geolocation is allowed for self");
+      Assert.ok(!this.content.document.featurePolicy.allowsFeature("geolocation", "https://foo.bar"), "Geolocation is not allowed for any random URL");
+      allowed = this.content.document.featurePolicy.getAllowlistForFeature("geolocation");
+      Assert.equal(allowed.length, 1, "Only 1 entry in allowlist for geolocation");
+      Assert.equal(allowed[0], "https://example.org", "allowlist is '*'");
+
+      Assert.ok(this.content.document.featurePolicy.allowsFeature("microphone"), "Microphone is enabled for self");
+      Assert.ok(this.content.document.featurePolicy.allowsFeature("microphone", "https://example.org"), "Microphone is enabled for self");
+      Assert.ok(!this.content.document.featurePolicy.allowsFeature("microphone", "https://foo.bar"), "Microphone is disabled for foo.bar");
+      Assert.ok(!this.content.document.featurePolicy.allowsFeature("microphone", "https://example.com"), "Microphone is disabled for example.com");
+      allowed = this.content.document.featurePolicy.getAllowlistForFeature("microphone");
+      Assert.equal(allowed.length, 1, "Only 1 entry in allowlist for microphone");
+      Assert.equal(allowed[0], "https://example.org", "allowlist is self");
+
+      Assert.ok(!this.content.document.featurePolicy.allowsFeature("vr"), "Vibrate is disabled for self");
+      Assert.ok(!this.content.document.featurePolicy.allowsFeature("vr", "https://example.org"), "Vibrate is disabled for self");
+      Assert.ok(!this.content.document.featurePolicy.allowsFeature("vr", "https://foo.bar"), "Vibrate is disabled for foo.bar");
+      allowed = this.content.document.featurePolicy.getAllowlistForFeature("vr");
+      Assert.equal(allowed.length, 0, "No allowlist for vr");
+
+      Assert.ok(this.content.document.featurePolicy.allowedFeatures().includes("geolocation"), "Geolocation is allowed only for self");
+      // microphone is enabled for this origin
+      Assert.ok(this.content.document.featurePolicy.allowedFeatures().includes("microphone"), "microphone is allowed");
+    });
+
+    next();
+  };
+  document.body.appendChild(ifr);
+}
+
+
+var tests = [
+  test_document,
+  test_iframe_without_allow,
+  test_iframe_with_allow,
+  test_iframe_contentDocument,
+  test_cross_iframe_without_allow,
+  test_cross_iframe_with_allow,
+  test_cross_iframe_contentDocument_no_allow,
+  test_cross_iframe_contentDocument_allow
+];
+
+function next() {
+  if (!tests.length) {
+    SimpleTest.finish();
+    return;
+  }
+
+  var test = tests.shift();
+  test();
+}
+
+next();
+
+</script>
+</body>
+</html>
diff --git a/dom/security/featurepolicy/test/mochitest/test_parser.html^headers^ b/dom/security/featurepolicy/test/mochitest/test_parser.html^headers^
new file mode 100644
index 0000000000..949de013d3
--- /dev/null
+++ b/dom/security/featurepolicy/test/mochitest/test_parser.html^headers^
@@ -0,0 +1 @@
+Feature-Policy: camera *; geolocation 'self'; microphone https://example.com https://example.org; vr 'none'