Bug 189901 - Implement support for allowlist for the features named in the "allow" attribute
Summary: Implement support for allowlist for the features named in the "allow" attribute
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: Frames (show other bugs)
Version: Safari Technology Preview
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2018-09-23 17:36 PDT by Subhojeet Sinha
Modified: 2020-03-26 06:47 PDT (History)
6 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Subhojeet Sinha 2018-09-23 17:36:04 PDT
As per https://wicg.github.io/feature-policy/#iframe-allow-attribute the allow attribute should support an allowlist(https://wicg.github.io/feature-policy/#allowlist)

A feature policy allowlist is conceptually a set of origins. An allowlist may be either the special value *, which represents every origin, or An ordered set of origins.

However, the current implementation doesn't support adding allowlist and the default value for the allowlist i.e. 'src' is used, which represents the origin of the URL in the iframe’s src attribute.

<iframe src="https://abc.com" allow="geolocation; microphone; camera"></iframe>

With the current implementation, the above change will grant geolocation, microphone and camera access to the origin specified in the "src" attribute, i.e. in this case it would be https://abc.com. 

<iframe src="https://abc.com" allow="geolocation https://abc.com https://foo.com;"></iframe>

Adding the origins to the allow attribute as in the change above doesn't work currently and fails with the following error:
"The top-level frame has prevented a document with a different security origin to call getUserMedia."
Comment 1 Radar WebKit Bug Importer 2018-09-26 09:51:16 PDT
<rdar://problem/44798874>
Comment 2 john.irby 2019-02-13 08:49:11 PST
I am seeing this same issue on Safari version 12.0.3 (13606.4.5.3.1) - removing the allowlist from the attribute prompts for microphone access as specified in the original description

Is there any update on the status of this?
Comment 3 jib 2020-03-26 06:47:12 PDT
Note this is affecting JSFiddle now due to https://github.com/jsfiddle/jsfiddle-issues/issues/1557#issuecomment-603689064

Example: https://jsfiddle.net/jib1/pz5pynyf/