Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Disable geolocation by default in cross-origin iframes #10

Closed
raymeskhoury opened this issue Feb 8, 2017 · 11 comments · Fixed by #41
Closed

Disable geolocation by default in cross-origin iframes #10

raymeskhoury opened this issue Feb 8, 2017 · 11 comments · Fixed by #41
Labels
security-tracker Group bringing to attention of security, or tracked by the security Group but not needing response.

Comments

@raymeskhoury
Copy link

raymeskhoury commented Feb 8, 2017

(Apologies if this is the wrong place to file this!)

We would like to explore disabling geolocation by default for cross-origin iframes. The idea is that it would be possible for the embedder to re-enable geolocation using the proposed Feature Policy mechanism.

Geolocation already has a failure mode that occurs as a result of the user denying permission. This same failure mode can be reused but we probably still want to alter the spec to include the additional check to see if the feature is allowed by Feature Policy.

Note that this issue is mainly just intended to start the discussion about this change :) Several things would have to happen before we could land it, including Feature Policy being nailed down.

The motivations for this change and a discussion of compatibility risk can be found here: https://docs.google.com/document/d/13dp9xWVyGM8THAQohDOT2mMOTSGLxEhSZEvgpmVLrxU/edit

@clelland

@raymeskhoury
Copy link
Author

We'd like to move forward on this. I will draft a PR which does the appropriate integration with Feature Policy.

@plehegar plehegar added the security-tracker Group bringing to attention of security, or tracked by the security Group but not needing response. label Nov 20, 2017
@robert-gogolan
Copy link

I confirm that the restriction is in effect in chrome 62, but the feature mechanism which should re-enable an iframe to get permission is not working, regardless of the iframe origin.

@raymeskhoury
Copy link
Author

@robert-gogolan it would be best to file a Chrome bug if you're experiencing issues: https://bugs.chromium.org/p/chromium/issues/entry

There should be no change in Chrome M62, except that a warning message will be printed in the console. The proposed changes should come into effect in M64.

@reillyeon
Copy link
Member

Discussed at TPAC 2019 F2F. Resolved to submit a PR to integrate with Feature Policy with a default policy of ['self'].

https://www.w3.org/2019/09/19-dap-minutes.html#x09

@flaki
Copy link

flaki commented Sep 19, 2019

In Firefox a fix has landed enforcing this restriction, as well as enabling the Feature Policy opt-in mechanism. The fix is expected to go stable in Firefox 71 later this year.

@marcoscaceres
Copy link
Member

@raymeskhoury, do you plan to submit a PR?

@raymeskhoury raymeskhoury removed their assignment Oct 15, 2019
@raymeskhoury
Copy link
Author

No, sorry I haven't been working on this for a long time. @engedy may be interested.

@engedy
Copy link

engedy commented Oct 15, 2019

I'm relatively certain that both the default allow list of "self", as well as the opt-in mechanism for "geolocation" are already implemented in Chromium, although I admit that our testing coverage is lacking. I filed https://crbug.com/1014416 for that. If anyone observed the production behavior otherwise, could please update that bug?

@marcoscaceres
Copy link
Member

@engedy, I sent a PR with some tests web-platform-tests/wpt#23729 ... could use a review.

@marcoscaceres
Copy link
Member

Sent a PR for this also #41 - given that it's in both Chrome and Firefox.

@engedy
Copy link

engedy commented May 29, 2020

Thanks a lot for sending out the tests! They look good to me, but someone else with more powers than me still needs to approve it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
security-tracker Group bringing to attention of security, or tracked by the security Group but not needing response.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

7 participants