Deprecate on-by-default Permissions in Cross-origin Iframes

It’s proposed that by default the following permissions cannot be requested or granted to content contained in cross-origin iframes: Geolocation Midi Encrypted media extensions Microphone and Camera In order for a cross-origin frame to get access to these permissions, the embedding page must specify a Feature Policy which enables the feature for the frame. For example, to enable geolocation in an iframe, the embedder could specify the iframe tag as: <iframe src="..." allow="geolocation">

Status in Chromium

In development (launch bug)

Consensus & Standardization

  • No public signals
  • No public signals
  • No public signals
  • No signals

Owners

Last updated on 2017-02-08