[Webkit-unassigned] [Bug 152299] [Privileged Contexts] Enable opt-in to DeviceOrientation and DeviceMotion for HTTPS-based iframes
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Nov 14 06:44:57 PST 2018
https://bugs.webkit.org/show_bug.cgi?id=152299
--- Comment #20 from Rich Tibbett <rich.tibbett at gmail.com> ---
Something similar has been proposed and implemented by browsers in W3C WICG Feature Policy specification: https://wicg.github.io/feature-policy/#iframe-allow-attribute.
Chromium now implements the following `allow` properties that are relevant to this bug:
* gyroscope
* accelerometer
* magnetometer
(see: https://developers.google.com/web/updates/2018/06/feature-policy)
If this feature is to be implemented then it should follow this specification.
Also, Safari 9.2+ completely blocks adding event listeners for `deviceorientation`, `deviceorientationabsolute` and `devicemotion`.
Adding the following code to a cross-origin iframe:
window.addEventListener("devicemotion", () => {});
results in the following Inspector error:
"Blocked attempt add device motion or orientation listener from child frame that wasn't the same security origin as the main page"
This causes problems for people that are polyfilling and emitting these sensor events within cross-origin iframes (e.g. via postMessage. see: https://github.com/aframevr/aframe/issues/3422).
It would be good to see some progress on these issues. Especially, preventing even listening for device motion or orientation listeners in cross-origin iframes seems to be a very aggressive approach.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20181114/75f06541/attachment-0001.html>
More information about the webkit-unassigned
mailing list