Disable geolocation by default in cross-origin iframes #10
Comments
|
We'd like to move forward on this. I will draft a PR which does the appropriate integration with Feature Policy. |
plehegar
added
the
security-tracker
|
I confirm that the restriction is in effect in chrome 62, but the feature mechanism which should re-enable an iframe to get permission is not working, regardless of the iframe origin. |
|
@robert-gogolan it would be best to file a Chrome bug if you're experiencing issues: https://bugs.chromium.org/p/chromium/issues/entry There should be no change in Chrome M62, except that a warning message will be printed in the console. The proposed changes should come into effect in M64. |
|
Discussed at TPAC 2019 F2F. Resolved to submit a PR to integrate with Feature Policy with a default policy of |
|
In Firefox a fix has landed enforcing this restriction, as well as enabling the Feature Policy opt-in mechanism. The fix is expected to go stable in Firefox 71 later this year. |
|
@raymeskhoury, do you plan to submit a PR? |
|
No, sorry I haven't been working on this for a long time. @engedy may be interested. |
|
I'm relatively certain that both the default allow list of "self", as well as the opt-in mechanism for "geolocation" are already implemented in Chromium, although I admit that our testing coverage is lacking. I filed https://crbug.com/1014416 for that. If anyone observed the production behavior otherwise, could please update that bug? |
|
@engedy, I sent a PR with some tests web-platform-tests/wpt#23729 ... could use a review. |
|
Sent a PR for this also #41 - given that it's in both Chrome and Firefox. |
|
Thanks a lot for sending out the tests! They look good to me, but someone else with more powers than me still needs to approve it. |
(Apologies if this is the wrong place to file this!)
We would like to explore disabling geolocation by default for cross-origin iframes. The idea is that it would be possible for the embedder to re-enable geolocation using the proposed Feature Policy mechanism.
Geolocation already has a failure mode that occurs as a result of the user denying permission. This same failure mode can be reused but we probably still want to alter the spec to include the additional check to see if the feature is allowed by Feature Policy.
Note that this issue is mainly just intended to start the discussion about this change :) Several things would have to happen before we could land it, including Feature Policy being nailed down.
The motivations for this change and a discussion of compatibility risk can be found here: https://docs.google.com/document/d/13dp9xWVyGM8THAQohDOT2mMOTSGLxEhSZEvgpmVLrxU/edit
@clelland
The text was updated successfully, but these errors were encountered: