<html>

    <head>

      <base href="https://bugs.webkit.org/" />

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - Enable opt-in DeviceOrientation and DeviceMotion cross-origin iframe access"

   href="https://bugs.webkit.org/show_bug.cgi?id=152299">152299</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>Enable opt-in DeviceOrientation and DeviceMotion cross-origin iframe access

          </td>

        </tr>

        <tr>

          <th>Classification</th>

          <td>Unclassified

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>WebKit

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>WebKit Nightly Build

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>iOS

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>iOS 9.0

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>Normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P2

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>WebCore JavaScript

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>webkit-unassigned&#64;lists.webkit.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>rich.tibbett&#64;gmail.com

          </td>

        </tr></table>

      <p>

        <div>

        <pre>With iOS 9.2 WebKit now blocks deviceorientation and devicemotion event access from cross-origin iframes.

I know we have discussed preventing access to powerful features such as DeviceOrientation and DeviceMotion events from non-https documents and sub-documents but WebKit on iOS, as of the 9.2 update, is also blocking cross-origin iframe access too. Has this additional restriction been discussed in any standards organization to date?

If this feature needs to stay then perhaps we could then allow website owners to opt-in to override that restriction and enable iframe sandboxes to access device sensors if they wish.

I would propose an opt-in mechanism via the sandbox attribute for website owners as follows:

    &lt;iframe src=&quot;<a href="https://some-cross-origin-page">https://some-cross-origin-page</a>&quot; sandbox=&quot;allow-scripts allow-device-sensors&quot;/&gt;

I have created a quick patch for WebKit that enables 'allow-device-sensors' &#64; <a href="https://github.com/WebKit/webkit/compare/master...richtr:iframe-sandbox-allow-device-sensors">https://github.com/WebKit/webkit/compare/master...richtr:iframe-sandbox-allow-device-sensors</a>.

Could we discuss this restriction added to iOS 9.2 and the 'allow-device-sensors' proposal in an open standards forum somewhere? Where should that be?</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are the assignee for the bug.</li>

      </ul>

    </body>

</html>