Permissions-Policy [FEATURE]=([ORIGIN(s)]) example is confusing

[fergald]

URL: https://github.com/GoogleChrome/developer.chrome.com//blob/main/site/en/docs/privacy-sandbox/permissions-policy/index.md

The example [FEATURE]=([ORIGIN(s)]) text makes it seem like you can apply a policy to specific origins without applying it to the frame itself. So e.g. if the main frame is http://main.com with a subframe of http://subframe.com and it sets Permissions-Policy: feature=("http://subframe.com") the feature will not actually be enabled for http://subframe.com because it's not enabled for its parent frame.

In fact [FEATURE]=([ORIGIN(s)]) has the same effect as [FEATURE]=() unless [[ORIGIN(s)] happens to include the document's origin, in which case I believe it's the same as [FEATURE]=(self [ORIGIN(s)]). Given that it seems better to note include the example or at least to note that this is always the same as either () or (self ...).

The comment about needing to set allow on the iframe does not seem like it belongs in this section at all since I think it would also apply to the next example, [FEATURE]=(self [ORIGIN(s)])

Some discussion of this is on this thread

@kevinkiklee @clelland

[kevinkiklee]

Hey there, thanks for raising the issue! We'll get the doc updated.

[clelland]

Yes, as @fergald says, it's functionally identical to saying feature=(), although it's still valid syntax.

Maybe it's still useful to call out that you don't need the specific keyword self, but you do need to include your own origin if you intend to either use the feature or delegate it to others. So, to use the example in the issue, if the main frame were at http://main.com with a subframe at http://subframe.com, you could use a policy like

Permissions-Policy: feature=("https://main.com" "https://subframe.com")

to allow delegation to the subframe.

[alexandrascript]

This appears to have been addressed last year by @kevinkiklee, so closing this out. If the issue is not resolved, please re-open with more context.