Hi folks, I've followed up on this internally at Google (talking to Chrome and YouTube people) and also had a private thread with Marcos.
Marcos has proposed just changing the spec (and by extension, Gecko) to make the permission policy be "*" by default, essentially codifying Chrome and Safari's current behaviour of allowing embeds to use Web Share without permission, but giving embedders the option to explicitly block it: https://github.com/w3c/web-share/pull/234 My preference is actually to try and enforce the current spec (default of "self") which would mean YT and other embeds are blocked from using Web Share by default, unless granted permission by the embedder. As I see it, the only major issue with YouTube being a huge user of Web Share in iframes, is that the share button is apparently broken (as in, if clicked, it throws a JS exception) if the permission is blocked. That's simply a bug which we can get YouTube to fix (I am following up internally with YouTube). If that bug is fixed, then I don't see a problem with the share button falling back to use the internal in-page share UI (rather than using the Web Share API) on the majority of embedded YT videos, with the option for embedders to grant the permission if they want that UI to work. Either way, we should come to a consensus on this and align the spec and three implementations in relatively short order (O(days-weeks)). Apologies that this issue has been left dangling for years. Matt On Fri, 27 May 2022 at 02:35, Joshua Bell <jsb...@chromium.org> wrote: > Thanks for the pings, Marcos. I'll try and have an update for you in the > next week. > > On Thu, May 26, 2022 at 8:07 AM Marcos Caceres <mar...@marcosc.com> wrote: > >> Just checking in again 👋 I'm wondering if by chance folks here might be >> to ping the YouTube folks one last time? It's been a while, so maybe they >> will respond this time? >> >> Also, if we can try to get some cross-browser resolution around >> permission policy for Web Share, it would be really great. >> >> On Friday, May 20, 2022 at 6:36:22 PM UTC+10 Marcos Caceres wrote: >> >>> Hi All, >>> >>> Coming back to this as it's now starting to cause Web compatibly issues >>> across both Firefox and SafariTP (both of which implement `'self'`). >>> >>> I'm still worried that the ability to share files and other content (and >>> even URLs, as we've seen in the past) is quite a powerful feature with >>> security implications. >>> >>> However, we (other implementers) are facing a losing battle with Web >>> compatibly here :( >>> >>> If it's too far gone, could we compromise with a "*" policy. But I'd >>> like to get again get a sense if we can go with 'self'. >>> >>> >>> On Monday, November 2, 2020 at 4:22:58 PM UTC+11 Matt Giuca wrote: >>> >>>> Pinging on this. It's been awhile and I don't think we've seen any >>>> update on it. (Nobody from YouTube responded on the internal bug.) >>>> >>>> Eric, did measurements land and if so, what milestone will we start >>>> seeing results in? >>>> >>>> On Fri, 4 Sep 2020 at 05:06, Chris Harrelson <chri...@chromium.org> >>>> wrote: >>>> >>>>> Hi Eric, >>>>> >>>>> Did the analysis relating to Youtube complete? Do you think this will >>>>> be safe to turn on, because the Youtube case was sufficiently special? >>>>> >>>>> Chris >>>>> >>>>> On Sun, Aug 23, 2020 at 10:03 PM Eric Willigers < >>>>> ericwi...@chromium.org> wrote: >>>>> >>>>>> >>>>>> On Friday, August 21, 2020 at 5:15:18 AM UTC+10, Mike West wrote: >>>>>>> >>>>>>> Have you followed up with YouTube internally? As Eric notes, it >>>>>>> seems bad that this broke sharing in Canary. >>>>>>> >>>>>> >>>>>> I have raised a YouTube issue internally, showing how to detect if >>>>>> Feature Policy forbids sharing. >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "blink-dev" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to blink-dev+...@chromium.org. >>>>>> To view this discussion on the web visit >>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/e554e75c-f1cc-4a68-bac9-a7e8477c916bo%40chromium.org >>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/e554e75c-f1cc-4a68-bac9-a7e8477c916bo%40chromium.org?utm_medium=email&utm_source=footer> >>>>>> . >>>>>> >>>>> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to blink-dev+unsubscr...@chromium.org. >> To view this discussion on the web visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/124d0a06-05d6-4248-8771-0ac15105e787n%40chromium.org >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/124d0a06-05d6-4248-8771-0ac15105e787n%40chromium.org?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAHqYdcZWF-_bRGjB43LpFXiMiFtu92TnKJ%2BimueZ3SBTMJPHOg%40mail.gmail.com.
