The YouTube issue has been addressed. We can ship with default "self" in M110. crrev.com/c/3995946 <https://chromium-review.googlesource.com/c/chromium/src/+/3995946>
On Tuesday, June 14, 2022 at 3:55:04 PM UTC+10 mar...@marcosc.com wrote: > Hi All, > > On Wednesday, June 8, 2022 at 12:05:48 PM UTC+10 Matt Giuca wrote: > >> Hi folks, >> >> I've followed up on this internally at Google (talking to Chrome and >> YouTube people) and also had a private thread with Marcos. >> >> Marcos has proposed just changing the spec (and by extension, Gecko) to >> make the permission policy be "*" by default, essentially codifying Chrome >> and Safari's current behaviour of allowing embeds to use Web Share without >> permission, but giving embedders the option to explicitly block it: >> https://github.com/w3c/web-share/pull/234 >> > >> My preference is actually to try and enforce the current spec (default of >> "self") which would mean YT and other embeds are blocked from using Web >> Share by default, unless granted permission by the embedder. >> > > 'self' is my preference also and I'd be more than happy to close the PR > for the proposal above (#234). Short of removing the permissions policy > entirely, #234 was basically the only means we had to deal with the web > compat issues that have arisen. > > But it's super encouraging to hear "self" could be back on the table. 🙏 > > As I see it, the only major issue with YouTube being a huge user of Web >> Share in iframes, is that the share button is apparently broken (as in, if >> clicked, it throws a JS exception) if the permission is blocked. That's >> simply a bug which we can get YouTube to fix (I am following up internally >> with YouTube). If that bug is fixed, then I don't see a problem with the >> share button falling back to use the internal in-page share UI (rather than >> using the Web Share API) on the majority of embedded YT videos, with the >> option for embedders to grant the permission if they want that UI to work. >> >> Either way, we should come to a consensus on this and align the spec and >> three implementations in relatively short order (O(days-weeks)). >> > > That would be amazing. In the meantime, we've updated WebKit to use "*" as > I was left with little option because of the breakage. > > However, if we get agreement on "self" and some kind of timeframe form > Chrome, I can revert that form WebKit and we can work towards an > interoperable solution ('self'). > > FWIW, Firefox is also shipping with 'self' as the policy [1], which means > it's also affecting their Windows and Android implementations. > > [1] > https://github.com/mozilla/gecko-dev/blob/1e13dfc1bd87c3747d6712807401c590d0211a46/dom/security/featurepolicy/FeaturePolicyUtils.cpp#L37 > > > Looking forward to a speedy resolution! > > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/d78cf941-2330-42bc-9078-ee69d3102490n%40chromium.org.
