[Webkit-unassigned] [Bug 152299] [Privileged Contexts] Enable opt-in to DeviceOrientation and DeviceMotion for HTTPS-based iframes
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Mar 23 08:12:36 PDT 2017
https://bugs.webkit.org/show_bug.cgi?id=152299
--- Comment #17 from Rich Tibbett <rich.tibbett at gmail.com> ---
Just to reiterate why this solution works.
A cross-domain page running in an iframe can not access the top-level document and therefore can not grant itself `allow-device-sensors` access.
However, a top-level document, running a script that has been added by the owner of that document can create an iframe that does provide `allow-device-sensors` in that iframe's sandbox attribute. That same script could then set `http://some-cross-origin-page` and that page will then have device sensors access.
Owners of the top-level document maintain control. Scripts injected from the top-level document are accountable for enabling `allow-device-sensors`.
This works in the same way as other iframe sandbox attributes and is useful if a top-level page owner wants to embed e.g. 360 image or video players from a 3rd-party domain.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20170323/6f2ecf26/attachment.html>
More information about the webkit-unassigned
mailing list