I don't think we should make it so that allowing popups for one file, enables it for all files. Especially if we add UI for other, more riskier, policies.
Our same-domain policy for file:// is pretty complicated, but if we could make it so that if you apply a policy for file://foo/bar/baz.html, then that policy applies only to file://foo/bar and nothing else.
Btw, we do use the uri of the principal when setting these policies, right? Not the uri of the document?
I don't think we should make it so that allowing popups for one file, enables it for all files. Especially if we add UI for other, more riskier, policies.
Our same-domain policy for file:// is pretty complicated, but if we could make it so that if you apply a policy for file:// foo/bar/ baz.html, then that policy applies only to file://foo/bar and nothing else.
Btw, we do use the uri of the principal when setting these policies, right? Not the uri of the document?