raymeskhoury
commented
7 years ago We'd like to move forward on this. I will draft a PR which does the appropriate integration with Feature Policy.
Closed raymeskhoury closed 4 years ago
raymeskhoury
commented
7 years ago We'd like to move forward on this. I will draft a PR which does the appropriate integration with Feature Policy.
robert-gogolan
commented
6 years ago I confirm that the restriction is in effect in chrome 62, but the feature mechanism which should re-enable an iframe to get permission is not working, regardless of the iframe origin.
raymeskhoury
commented
6 years ago @robert-gogolan it would be best to file a Chrome bug if you're experiencing issues: https://bugs.chromium.org/p/chromium/issues/entry
There should be no change in Chrome M62, except that a warning message will be printed in the console. The proposed changes should come into effect in M64.
reillyeon
commented
5 years ago Discussed at TPAC 2019 F2F. Resolved to submit a PR to integrate with Feature Policy with a default policy of ['self'].
flaki
commented
5 years ago In Firefox a fix has landed enforcing this restriction, as well as enabling the Feature Policy opt-in mechanism. The fix is expected to go stable in Firefox 71 later this year.
marcoscaceres
commented
5 years ago @raymeskhoury, do you plan to submit a PR?
raymeskhoury
commented
5 years ago No, sorry I haven't been working on this for a long time. @engedy may be interested.
engedy
commented
5 years ago I'm relatively certain that both the default allow list of "self", as well as the opt-in mechanism for "geolocation" are already implemented in Chromium, although I admit that our testing coverage is lacking. I filed https://crbug.com/1014416 for that. If anyone observed the production behavior otherwise, could please update that bug?
marcoscaceres
commented
4 years ago @engedy, I sent a PR with some tests https://github.com/web-platform-tests/wpt/pull/23729 ... could use a review.
marcoscaceres
commented
4 years ago Sent a PR for this also https://github.com/w3c/geolocation-api/pull/41 - given that it's in both Chrome and Firefox.
engedy
commented
4 years ago Thanks a lot for sending out the tests! They look good to me, but someone else with more powers than me still needs to approve it.
(Apologies if this is the wrong place to file this!)
We would like to explore disabling geolocation by default for cross-origin iframes. The idea is that it would be possible for the embedder to re-enable geolocation using the proposed Feature Policy mechanism.
Geolocation already has a failure mode that occurs as a result of the user denying permission. This same failure mode can be reused but we probably still want to alter the spec to include the additional check to see if the feature is allowed by Feature Policy.
Note that this issue is mainly just intended to start the discussion about this change :) Several things would have to happen before we could land it, including Feature Policy being nailed down.
The motivations for this change and a discussion of compatibility risk can be found here: https://docs.google.com/document/d/13dp9xWVyGM8THAQohDOT2mMOTSGLxEhSZEvgpmVLrxU/edit
@clelland