[webkit-changes] [WebKit/WebKit] 863558: Cross-origin <embed> elements can request media pe...

youennf noreply at github.com
Tue Jan 30 07:09:07 PST 2024 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 863558a77cbf5d2cf19869c6fb9884b6928dbbdf
      https://github.com/WebKit/WebKit/commit/863558a77cbf5d2cf19869c6fb9884b6928dbbdf
  Author: Youenn Fablet <youennf at gmail.com>
  Date:   2024-01-30 (Tue, 30 Jan 2024)

  Changed paths:
    M LayoutTests/fullscreen/full-screen-enabled-expected.txt
    M LayoutTests/fullscreen/full-screen-enabled-prefixed-expected.txt
    M LayoutTests/fullscreen/full-screen-iframe-not-allowed-expected.txt
    M LayoutTests/fullscreen/full-screen-iframe-without-allow-attribute-allowed-from-parent-expected.txt
    M LayoutTests/fullscreen/full-screen-restrictions-expected.txt
    M LayoutTests/http/tests/fullscreen/fullscreen-feature-policy-expected.txt
    M LayoutTests/http/tests/gamepad/gamepad-allow-attribute.https-expected.txt
    M LayoutTests/http/tests/media/media-stream/enumerate-devices-iframe-allow-attribute-expected.txt
    A LayoutTests/http/tests/media/media-stream/get-user-media-in-embed-element-expected.txt
    A LayoutTests/http/tests/media/media-stream/get-user-media-in-embed-element.html
    A LayoutTests/http/tests/media/media-stream/resources/get-user-media-embed.html
    M LayoutTests/http/tests/paymentrequest/payment-allow-attribute.https-expected.txt
    M LayoutTests/http/tests/security/sandboxed-iframe-geolocation-getCurrentPosition-expected.txt
    M LayoutTests/http/tests/security/sandboxed-iframe-geolocation-watchPosition-expected.txt
    M LayoutTests/http/tests/ssl/media-stream/get-user-media-different-host-expected.txt
    M LayoutTests/http/tests/ssl/media-stream/get-user-media-nested-expected.txt
    M LayoutTests/http/tests/webrtc/enumerateDevicesInFrames-expected.txt
    M LayoutTests/http/tests/webshare/webshare-allow-attribute-canShare.https-expected.txt
    M LayoutTests/http/tests/webshare/webshare-allow-attribute-share.https-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe-allow-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe-allowfullscreen-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/mediacapture-streams/MediaStream-feature-policy-none.https-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/permissions-policy/payment-allowed-by-permissions-policy-attribute-redirect-on-load.https.sub-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/screen-wake-lock/wakelock-enabled-by-feature-policy-attribute-redirect-on-load.https.sub-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/web-share/disabled-by-permissions-policy-cross-origin.https.sub-expected.txt
    M LayoutTests/platform/glib/imported/w3c/web-platform-tests/mediacapture-streams/MediaStream-feature-policy-none.https-expected.txt
    M LayoutTests/platform/glib/imported/w3c/web-platform-tests/screen-wake-lock/wakelock-enabled-by-feature-policy-attribute-redirect-on-load.https.sub-expected.txt
    M Source/WebCore/html/FeaturePolicy.cpp
    M Source/WebCore/html/FeaturePolicy.h

  Log Message:
  -----------
  Cross-origin <embed> elements can request media permission, and prompts show main-frame URL
https://bugs.webkit.org/show_bug.cgi?id=265812
rdar://119149318

Reviewed by Chris Dumez.

We should apply feature policy for all elements, including embed and frame elements.
Since there are no allow attributes, we should use the default feature policy rules for those elements.
Update isFeaturePolicyAllowedByDocumentAndAllOwners accordingly.

Rebase tests according updated console log message.

* LayoutTests/fullscreen/full-screen-enabled-expected.txt:
* LayoutTests/fullscreen/full-screen-enabled-prefixed-expected.txt:
* LayoutTests/fullscreen/full-screen-iframe-not-allowed-expected.txt:
* LayoutTests/fullscreen/full-screen-iframe-without-allow-attribute-allowed-from-parent-expected.txt:
* LayoutTests/fullscreen/full-screen-restrictions-expected.txt:
* LayoutTests/http/tests/fullscreen/fullscreen-feature-policy-expected.txt:
* LayoutTests/http/tests/media/media-stream/enumerate-devices-iframe-allow-attribute-expected.txt:
* LayoutTests/http/tests/media/media-stream/get-user-media-in-embed-element-expected.txt: Added.
* LayoutTests/http/tests/media/media-stream/get-user-media-in-embed-element.html: Added.
* LayoutTests/http/tests/media/media-stream/resources/get-user-media-embed.html: Added.
* LayoutTests/http/tests/paymentrequest/payment-allow-attribute.https-expected.txt:
* LayoutTests/http/tests/security/sandboxed-iframe-geolocation-getCurrentPosition-expected.txt:
* LayoutTests/http/tests/security/sandboxed-iframe-geolocation-watchPosition-expected.txt:
* LayoutTests/http/tests/ssl/media-stream/get-user-media-different-host-expected.txt:
* LayoutTests/http/tests/ssl/media-stream/get-user-media-nested-expected.txt:
* LayoutTests/http/tests/webrtc/enumerateDevicesInFrames-expected.txt:
* LayoutTests/http/tests/webshare/webshare-allow-attribute-canShare.https-expected.txt:
* LayoutTests/http/tests/webshare/webshare-allow-attribute-share.https-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe-allow-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe-allowfullscreen-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/mediacapture-streams/MediaStream-feature-policy-none.https-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/permissions-policy/payment-allowed-by-permissions-policy-attribute-redirect-on-load.https.sub-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/screen-wake-lock/wakelock-enabled-by-feature-policy-attribute-redirect-on-load.https.sub-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/web-share/disabled-by-permissions-policy-cross-origin.https.sub-expected.txt:
* Source/WebCore/html/FeaturePolicy.cpp:
(WebCore::isFeaturePolicyAllowedByDocumentAndAllOwners):
(WebCore::FeaturePolicy::parse):
* Source/WebCore/html/FeaturePolicy.h:
(WebCore::FeaturePolicy::defaultPolicy):
(WebCore::FeaturePolicy::parse):

Originally-landed-as: 267815.624 at safari-7617-branch (0ad98b606305). rdar://121480412
Canonical link: https://commits.webkit.org/273753@main

More information about the webkit-changes mailing list