Deprecate on-by-default Permissions in Cross-origin Iframes

It’s proposed that by default the following permissions cannot be requested or granted to content contained in cross-origin iframes: Geolocation Midi Encrypted media extensions Microphone and Camera In order for a cross-origin frame to get access to these permissions, the embedding page must specify a Feature Policy which enables the feature for the frame. For example, to enable geolocation in an iframe, the embedder could specify the iframe tag as: <iframe src="..." allow="geolocation">

Comments

Spec bugs: -Geolocation: https://github.com/w3c/geolocation-api/issues/10 -EME: https://github.com/w3c/encrypted-media/issues/371 -Midi: https://github.com/WebAudio/web-midi-api/issues/177 -Mic/Camera: https://github.com/w3c/mediacapture-main/issues/434

Documentation

Status in Chromium

Blink>FeaturePolicy


In development (launch bug)

Consensus & Standardization

  • No public signals
  • No public signals
  • No public signals
  • No signals

Owners

Last updated on 2017-06-19