[Webkit-unassigned] [Bug 221399] New: DeviceMotionEvent.requestPermission is not a function in iframe-hosted cross-origin pages, even with feature policy and allow attributes set

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Feb 4 04:22:20 PST 2021 

https://bugs.webkit.org/show_bug.cgi?id=221399

            Bug ID: 221399
           Summary: DeviceMotionEvent.requestPermission is not a function
                    in iframe-hosted cross-origin pages, even with feature
                    policy and allow attributes set
           Product: WebKit
           Version: Safari 14
          Hardware: All
                OS: All
            Status: NEW
          Severity: Critical
          Priority: P2
         Component: Frames
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: will.morgan at iproov.com

Created attachment 419269

  --> https://bugs.webkit.org/attachment.cgi?id=419269&action=review

Safari gyroscope iframe permission problem

Using iOS 14, DeviceMotionEvent.requestPermission does not exist in documents that are hosted within a cross-origin iframe, even if feature policy is set.

This seems to be because the gyroscope capability of Safari isn't yet supported, as documented on MDN: https://developer.mozilla.org/en-US/docs/Web/HTTP/Feature_Policy

To replicate, please:

1. See the attached reproduction or https://storage.cloud.google.com/public-demo/safarigyro.html
2. Navigate to the page using Safari, preferably on a device with a gyroscope, like an iPhone or iPad.
3. Observe that DeviceMotionEvent.requestPermission works correctly on the hosting page.
4. Observe that even though the gyroscope property is set per the Feature-Policy (Permissions-Policy?), the clicking the iframe'd button triggers an error.

This currently affects anyone wanting to integrate apps that use device motion in an iframe, which is a proven, reasonable and ubiquitous integration method for web apps wanting to compose their own user experiences with tools from other vendors.

There is no satisfactory workaround for the above issue. Any consenting web application cannot prompt their users to request gyroscope permissions, therefore device motion is broken in iframes.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210204/ba1f6dbf/attachment.htm>

More information about the webkit-unassigned mailing list