On Monday, November 25, 2019 at 9:29:10 AM UTC-8, Thomas Nguyen wrote: > Summary: People don’t have a good understanding of iframes, because > generally, no UI indicates that iframes are visible on a page, or what > their origin is. Permission requests from iframes cause significant > confusion for users because it is hard to determine where the requests come > from, as the address bar does not match the site in the permission prompt. > > Currently, Firefox allows iframes on a site to make permission requests and > show up a permission prompt using the origin of the iframes. A user making > a decision based on the third party context presented in the notification > prompt is complicated and confusing. This confusion is exacerbated when > managing previously stored permission decisions. > > To address this problem, we would like to impose a restriction on > permissions coming from third party context. There would be two main > changes proposed: > > - > > Give an ability to delegate permissions from first party to third party > embedded iframes, and impose a restriction to embedded iframes to request > permission only when the iframe’s embedder has explicitly delegated it. The > permission request will use the top level origin to show in the prompt, > then users are only required to make permission decisions about the first > party context. > - > > This change is dependent on the ability of Feature Policy to disable > permissions by default in cross-origin iframes. It will require a site > to > explicitly allow permissions for cross-origin iframes (setting allow > attribute, e.g allow=”geolocation”) otherwise, the permission > requests will > be denied on that iframes. > - > > The change will be applied to geolocation, camera, microphone and > screen-sharing permission, and fullscreen request. > > > - > > Completely deny permissions from third party context for vibration, > notification, and persistent-storage permission. > > > The plan is: > > - > > Enable Feature Policy allow attribute. > - > > Make permission camera/microphone/geolocation/display-capture/fullscreen > disabled by default in third-party iframe. > - > > Delegate Permissions: only cross-origin iframes that have explicit > delegated permission from their parent through the allow attribute will > have the right to make permission requests. > - > > Reduce the number of supported features to geolocation, camera, > microphone screen-sharing, and fullscreen (the above features are supported > for permissions UI with notification prompts, except fullscreen). And we > will move all other features to experimental phrase under a user preference > which is disabled by default. > - > > Simplify prompts/dialogs to only contain the top-level origin. > - > > Deny vibration, persistent-storage permission from third party iframe > (notification permission was disabled in third party context, just do some > minor refactors). > > > > > Bug: The tracking bug https://bugzilla.mozilla.org/show_bug.cgi?id=1572461 > > Standard: Feature Policy > https://w3c.github.io/webappsec-feature-policy/#iframe-allow-attribute > > Platform coverage: All. > > Preference: > > dom.security.featurePolicy.experimental.enabled: disabled by default, we > will limit supported features in Feature Policy to geolocation, camera, > microphone, fullscreen, display-capture and move others to experimental > phase. > > permissions.delegate.enabled: enabled by default > > dom.security.featurePolicy.enabled: this pref is implemented in Firefox 65 > but enabled by default in Nightly only > > Other browsers: Chrome supports permission delegation from Chrome 71. > > web-platform-tests: We only have web platform tests for feature policy but > not permission delegation > > Some of Feature Policy web-platform-tests that the permissions are disabled > by default in cross origin iframe: > > https://searchfox.org/mozilla-central/source/testing/web-platform/meta/feature-policy > > testing <https://searchfox.org/mozilla-central/source/testing>/web-platform > <https://searchfox.org/mozilla-central/source/testing/web-platform>/tests > <https://searchfox.org/mozilla-central/source/testing/web-platform/tests>/ > permissions > <https://searchfox.org/mozilla-central/source/testing/web-platform/tests/permissions> > /feature-policy-permissions-query.html > <https://searchfox.org/mozilla-central/source/testing/web-platform/tests/permissions/feature-policy-permissions-query.html> > > testing <https://searchfox.org/mozilla-central/source/testing>/web-platform > <https://searchfox.org/mozilla-central/source/testing/web-platform>/tests > <https://searchfox.org/mozilla-central/source/testing/web-platform/tests>/ > mediacapture-streams > <https://searchfox.org/mozilla-central/source/testing/web-platform/tests/mediacapture-streams> > /MediaStream-default-feature-policy.https.html > <https://searchfox.org/mozilla-central/source/testing/web-platform/tests/mediacapture-streams/MediaStream-default-feature-policy.https.html> > > testing/web-platform/tests/mediacapture-streams/MediaDevices-enumerateDevices-not-allowed-mic.https.html > <https://phabricator.services.mozilla.com/D42958#change-R6vBFB8IJIFC> > > testing/web-platform/tests/mediacapture-streams/MediaDevices-enumerateDevices-not-allowed-camera.https.html > <https://phabricator.services.mozilla.com/D42958#change-7eOHWcqTIeBw> > > testing/web-platform/tests/mediacapture-streams/MediaDevices-enumerateDevices.https.html > <https://phabricator.services.mozilla.com/D42958#change-pqamxq3whbwg> > > Secure contexts: yes. > > Is this feature enabled by default in sandboxed iframes? Yes > > > -- > Best regards, > > ===================================================== > Thomas Nguyen > IRC : tngu...@irc.mozilla.com > Slack: tnguyen > Email: tngu...@mozilla.com > =====================================================
This is exciting news, thank you for implementing! The WebXR Devices API will be shipping imminently by multiple vendors, with feature policy integration: https://immersive-web.github.io/webxr/#feature-policy The "xr-spatial-tracking" feature policy will effectively grant permission to use the calculated position and orientation of a headset and controllers in space, required for "immersive" VR and AR sessions. Could such an "xr-spatial-tracking" feature be enabled by the "dom.security.featurePolicy.experimental.enabled" preference? If so, what would the conditions be to later move features from an experimental state to being enabled by default? _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
