As per https://wicg.github.io/feature-policy/#iframe-allow-attribute the allow attribute should support an allowlist(https://wicg.github.io/feature-policy/#allowlist) A feature policy allowlist is conceptually a set of origins. An allowlist may be either the special value *, which represents every origin, or An ordered set of origins. However, the current implementation doesn't support adding allowlist and the default value for the allowlist i.e. 'src' is used, which represents the origin of the URL in the iframe’s src attribute. <iframe src="https://abc.com" allow="geolocation; microphone; camera"></iframe> With the current implementation, the above change will grant geolocation, microphone and camera access to the origin specified in the "src" attribute, i.e. in this case it would be https://abc.com. <iframe src="https://abc.com" allow="geolocation https://abc.com https://foo.com;"></iframe> Adding the origins to the allow attribute as in the change above doesn't work currently and fails with the following error: "The top-level frame has prevented a document with a different security origin to call getUserMedia."
<rdar://problem/44798874>
I am seeing this same issue on Safari version 12.0.3 (13606.4.5.3.1) - removing the allowlist from the attribute prompts for microphone access as specified in the original description Is there any update on the status of this?
Note this is affecting JSFiddle now due to https://github.com/jsfiddle/jsfiddle-issues/issues/1557#issuecomment-603689064 Example: https://jsfiddle.net/jib1/pz5pynyf/