Hi Della,
Thanks for the message. I would encourage you to file a bug at
crbug.com/new with these details, so it can be triaged by the relevant
team(s).
thanks,
Mike
On 4/3/23 10:24 AM, Della Brodsky wrote:
In
Controlling browser features with Permissions Policy - Chrome
Developers
<https://developer.chrome.com/en/docs/privacy-sandbox/permissions-policy/>
article, section
Combine headers with the iframe allow attribute
It is declared that
With Feature Policy, you could add the feature to a cross-origin frame
by either adding the origin to the header origin list or adding an
allow attribute to the iframe tag. With Permissions Policy, if you add
a cross-origin frame to the origin list, the iframe tag for that
origin must include the allow attribute. If the response does not
contain a Permissions Policy header, the origin list is considered to
have the default value of *. Adding the allow attribute to the iframe
allows access to the feature.
Please find attached 3 scenarios:
expected_success
expected_failure
unexpected_failure
In all 3 scenarios we have the same final markup:
Host A holding iFrame from itself, which holds iFrame from host B.
Script from nested iFrame from host B performs clipboard API
navigator.clipboard.writeText
In expected_success scenario both iFrames have
iFrame.setAttribute("allow", "clipboard-read; clipboard-write");
In expected_failure scenario only outer iFrame has
iFrame.setAttribute("allow", "clipboard-read; clipboard-write");
(and thus scenario fails)
The unexpected_failure scenario is a bit more complex, and that would
be scenario in question.
In that scenario we have a form made on Host A with action pointing to
Host B (clipboardAPIUsage.html), and submitted to iFarme, src of which
is on host A (/emptyDocument.html). That is an outer iFrame, and it
has iFrame.setAttribute("allow", "clipboard-read; clipboard-write");
Then clipboardAPIUsage.html has onClick btn function where iFrame with
src = emptyhover.html is created (with iFrame.setAttribute("allow",
"clipboard-read; clipboard-write");
And then we set the markup with document.write to that created iFrame
– after its loading – which includes the call to clipboard API, and
there it unexpectedly fails when called.
Please refer to the attached Word file for illustration of all three
markups and consoles.
To reproduce:
As a prerequisite you need to have Node.js installed on your environment
1. Unzip the attached folder
2. Open cmd, cd to …\Permission_Policy\Server1 and run node
server1.js command – it should start Server 1
3. Open another instance of cmd, cd to …\Permission_Policy\Server1
and run node server2.js command – it should start Server 2
4. Open Chrome
5. To run an expected_success, insert
http://localhost:8111/expected_success.html into the address bar
and hit Enter; don’t open f12 at this stage
1. Click “Click me” button – “Copy” button will appear
2. Click “Copy” button
3. Open f12, get to Console – no errors will be there
6. To run an expected_failure, insert
http://localhost:8111/expected_failure.html into the address bar
and hit Enter; don’t open f12 at this stage
1. Click “Click me” button – “Copy” button will appear
2. Click “Copy” button
3. Open f12, get to Console – the below (expected) error will be
there:
clipboardAPIUsage.html:1 Uncaught (in promise) DOMException: The
Clipboard API has been blocked because of a permissions policy applied
to the current document
7. To run an unexpected_failure, insert
http://localhost:8111/unexpected_failure.html into the address bar
and hit Enter; don’t open f12 at this stage
1. Click “Click me” button – “Copy” button will appear
2. Click “Copy” button
3. Open f12, get to Console – the below (unexpected) error will
be there:
clipboardAPIUsage.html:1 Uncaught (in promise) DOMException: The
Clipboard API has been blocked because of a permissions policy applied
to the current document
--
You received this message because you are subscribed to the Google
Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/09a1a74b-be38-4852-a889-df09e9042967n%40chromium.org
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/09a1a74b-be38-4852-a889-df09e9042967n%40chromium.org?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/22649084-5aac-2244-f9fa-e889f490b005%40chromium.org.
