SEP: Sandbox capabilities

[idosal]

Currently, the SEP sets the minimum required permissions for the app runtime (allow-scripts allow-same-origin). However, it doesn't address -

1. Additional capabilities like camera and microphone (@yannj-fr and others)
2. Hardening like base-uri (which can affect capabilities like translations between web apps and raw HTML) or nested iframes (which might also require ui: csp: frameDomains).

These can fundamentally alter the content the server chooses to advertise or return.

We need to define the negotiation for these capabilities.

[aharvard]

I like this idea. I can imagine that if a server understands a host doesn't support a camera or microphone, they might be able to provide some adaptive design, or at least a minimum message stating that the app won't work.

I bet we could have a lot of fun with hosts that have accelerometer support :)

[liady]

@aharvard exactly! And just imagine the AR possibilities 🙂
With capabilities negotiation and progressive enhancement this can work very similar to how webapps today are checking browser capabilities, and gracefully fallback of needed