[Webkit-unassigned] [Bug 189901] New: Implement support for allowlist for the features named in the "allow" attribute
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sun Sep 23 17:36:04 PDT 2018
https://bugs.webkit.org/show_bug.cgi?id=189901
Bug ID: 189901
Summary: Implement support for allowlist for the features named
in the "allow" attribute
Product: WebKit
Version: Safari Technology Preview
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: Frames
Assignee: webkit-unassigned at lists.webkit.org
Reporter: subhojeet.sinha3 at gmail.com
As per https://wicg.github.io/feature-policy/#iframe-allow-attribute the allow attribute should support an allowlist(https://wicg.github.io/feature-policy/#allowlist)
A feature policy allowlist is conceptually a set of origins. An allowlist may be either the special value *, which represents every origin, or An ordered set of origins.
However, the current implementation doesn't support adding allowlist and the default value for the allowlist i.e. 'src' is used, which represents the origin of the URL in the iframe’s src attribute.
<iframe src="https://abc.com" allow="geolocation; microphone; camera"></iframe>
With the current implementation, the above change will grant geolocation, microphone and camera access to the origin specified in the "src" attribute, i.e. in this case it would be https://abc.com.
<iframe src="https://abc.com" allow="geolocation https://abc.com https://foo.com;"></iframe>
Adding the origins to the allow attribute as in the change above doesn't work currently and fails with the following error:
"The top-level frame has prevented a document with a different security origin to call getUserMedia."
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180924/5075af7b/attachment-0001.html>
More information about the webkit-unassigned
mailing list