On Tuesday, November 26, 2019 at 1:03:01 AM UTC+1, kgil...@mozilla.com wrote: > On Monday, November 25, 2019 at 9:29:10 AM UTC-8, Thomas Nguyen wrote: > > Summary: People don’t have a good understanding of iframes, because > > generally, no UI indicates that iframes are visible on a page, or what > > their origin is. Permission requests from iframes cause significant > > confusion for users because it is hard to determine where the requests come > > from, as the address bar does not match the site in the permission prompt. > > > > Currently, Firefox allows iframes on a site to make permission requests and > > show up a permission prompt using the origin of the iframes. A user making > > a decision based on the third party context presented in the notification > > prompt is complicated and confusing. This confusion is exacerbated when > > managing previously stored permission decisions. > > > > To address this problem, we would like to impose a restriction on > > permissions coming from third party context. There would be two main > > changes proposed: > > > > - > > > > Give an ability to delegate permissions from first party to third party > > embedded iframes, and impose a restriction to embedded iframes to request > > permission only when the iframe’s embedder has explicitly delegated it. > > The > > permission request will use the top level origin to show in the prompt, > > then users are only required to make permission decisions about the first > > party context. > > - > > > > This change is dependent on the ability of Feature Policy to disable > > permissions by default in cross-origin iframes. It will require a > > site to > > explicitly allow permissions for cross-origin iframes (setting allow > > attribute, e.g allow=”geolocation”) otherwise, the permission > > requests will > > be denied on that iframes. > > - > > > > The change will be applied to geolocation, camera, microphone and > > screen-sharing permission, and fullscreen request. > > > > > > - > > > > Completely deny permissions from third party context for vibration, > > notification, and persistent-storage permission. > > > > > > The plan is: > > > > - > > > > Enable Feature Policy allow attribute. > > - > > > > Make permission camera/microphone/geolocation/display-capture/fullscreen > > disabled by default in third-party iframe. > > - > > > > Delegate Permissions: only cross-origin iframes that have explicit > > delegated permission from their parent through the allow attribute will > > have the right to make permission requests. > > - > > > > Reduce the number of supported features to geolocation, camera, > > microphone screen-sharing, and fullscreen (the above features are > > supported > > for permissions UI with notification prompts, except fullscreen). And we > > will move all other features to experimental phrase under a user > > preference > > which is disabled by default. > > - > > > > Simplify prompts/dialogs to only contain the top-level origin. > > - > > > > Deny vibration, persistent-storage permission from third party iframe > > (notification permission was disabled in third party context, just do > > some > > minor refactors). > > > > > > > > > > Bug: The tracking bug https://bugzilla.mozilla.org/show_bug.cgi?id=1572461 > > > > Standard: Feature Policy > > https://w3c.github.io/webappsec-feature-policy/#iframe-allow-attribute > > > > Platform coverage: All. > > > > Preference: > > > > dom.security.featurePolicy.experimental.enabled: disabled by default, we > > will limit supported features in Feature Policy to geolocation, camera, > > microphone, fullscreen, display-capture and move others to experimental > > phase. > > > > permissions.delegate.enabled: enabled by default > > > > dom.security.featurePolicy.enabled: this pref is implemented in Firefox 65 > > but enabled by default in Nightly only > > > > Other browsers: Chrome supports permission delegation from Chrome 71. > > > > web-platform-tests: We only have web platform tests for feature policy but > > not permission delegation > > > > Some of Feature Policy web-platform-tests that the permissions are disabled > > by default in cross origin iframe: > > > > https://searchfox.org/mozilla-central/source/testing/web-platform/meta/feature-policy > > > > testing <https://searchfox.org/mozilla-central/source/testing>/web-platform > > <https://searchfox.org/mozilla-central/source/testing/web-platform>/tests > > <https://searchfox.org/mozilla-central/source/testing/web-platform/tests>/ > > permissions > > <https://searchfox.org/mozilla-central/source/testing/web-platform/tests/permissions> > > /feature-policy-permissions-query.html > > <https://searchfox.org/mozilla-central/source/testing/web-platform/tests/permissions/feature-policy-permissions-query.html> > > > > testing <https://searchfox.org/mozilla-central/source/testing>/web-platform > > <https://searchfox.org/mozilla-central/source/testing/web-platform>/tests > > <https://searchfox.org/mozilla-central/source/testing/web-platform/tests>/ > > mediacapture-streams > > <https://searchfox.org/mozilla-central/source/testing/web-platform/tests/mediacapture-streams> > > /MediaStream-default-feature-policy.https.html > > <https://searchfox.org/mozilla-central/source/testing/web-platform/tests/mediacapture-streams/MediaStream-default-feature-policy.https.html> > > > > testing/web-platform/tests/mediacapture-streams/MediaDevices-enumerateDevices-not-allowed-mic.https.html > > <https://phabricator.services.mozilla.com/D42958#change-R6vBFB8IJIFC> > > > > testing/web-platform/tests/mediacapture-streams/MediaDevices-enumerateDevices-not-allowed-camera.https.html > > <https://phabricator.services.mozilla.com/D42958#change-7eOHWcqTIeBw> > > > > testing/web-platform/tests/mediacapture-streams/MediaDevices-enumerateDevices.https.html > > <https://phabricator.services.mozilla.com/D42958#change-pqamxq3whbwg> > > > > Secure contexts: yes. > > > > Is this feature enabled by default in sandboxed iframes? Yes > > > > > > -- > > Best regards, > > > > ===================================================== > > Thomas Nguyen > > IRC : tngu...@irc.mozilla.com > > Slack: tnguyen > > Email: tngu...@mozilla.com > > ===================================================== > > This is exciting news, thank you for implementing! > > The WebXR Devices API will be shipping imminently by multiple vendors, with > feature policy integration: > > https://immersive-web.github.io/webxr/#feature-policy > > The "xr-spatial-tracking" feature policy will effectively grant permission to > use the calculated position and orientation of a headset and controllers in > space, required for "immersive" VR and AR sessions. > > Could such an "xr-spatial-tracking" feature be enabled by the > "dom.security.featurePolicy.experimental.enabled" preference? > > If so, what would the conditions be to later move features from an > experimental state to being enabled by default?
I did not notice your question, my account somehow did not get any notification from this thread. At the moment, there're still changes in specs and we only support "permission type" feature (having a UI prompt/dialogs). The experimental list is for unstable spec features or without UI changes. I don't find it is too hard to add xr-spatial-tracking to the experimental list (then you can flip dom.security.featurePolicy.experimental.enabled), or even add to supported list after you have a UI prompt and stable specs. _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
