Intent to Implement: Feature Policy for Autoplay

[Becca Hughes]

Contact emails

becca...@chromium.org, mlam...@chromium.org, dah...@chromium.org

Spec

https://github.com/WICG/feature-policy/blob/gh-pages/features.md

https://github.com/whatwg/html/pull/3253

Summary

Allows developers to selectively enable and disable use of autoplay through the feature policy HTTP header or the <iframe> "allow" attribute.

By default we will allow autoplay on same origin iframes. If developers have cross origin iframes they will be able to enable autoplay on those frames by enabling the "autoplay" feature.

Motivation

This will allow developers who have cross origin iframes to decide which frames should be allowed to autoplay.

Risks

Interoperability and Compatibility

Edge: No signals

Firefox: No signals

Safari: Public support

Web developers: No signals

Ergonomics

This part of Unified Autoplay.

Activation

Developers will be able to enable this feature in chrome://flags before wider rollout.

Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?

Yes.

OWP launch tracking bug

https://crbug.com/788390

Link to entry on the feature dashboard

https://www.chromestatus.com/features/5100524789563392

Requesting approval to ship?

No

[Andy Paicu]

Is the autoplay feature something that could be easily exploited by an attacker?

Will this allow an attacker to not only embed some video but also make it autoplay easily?

I'm concerned that this could allow an attacker to inject videos from their cross-origin origin that would also autoplay.

Regards,

Andy

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFeLsEJ2JjvMoASFubaXkLm%2BLCxTy5qBT%3DkaokF-ph%2BGu_kyCg%40mail.gmail.com.

[Becca Hughes]

I don't think so because at the moment there are no restrictions on cross origin autoplay.

When we launch Unified Autoplay in early 2018 we want to move to a model where autoplay is disabled for cross origin by default and developers have to switch it on. 

Thanks,

Becca

Andy

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFeLsEJ2JjvMoASFubaXkLm%2BLCxTy5qBT%3DkaokF-ph%2BGu_kyCg%40mail.gmail.com.

--

•  Becca Hughes   •  Software Engineer   •  Google Inc.   •  becca...@google.com

This email may be confidential and privileged. If you received this communication by mistake, please don't forward it to anyone else, please erase all copies and attachments, and please let me know that it has gone to the wrong person.

The above terms reflect a potential business arrangement, are provided solely as a basis for further discussion, and are not intended to be and do not constitute a legally binding obligation. No legally binding obligations will be created, implied, or inferred until an agreement in final form is executed in writing by all parties involved.

[Andy Paicu]

Ah I see, so it's actually a security improvement.

Andy

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFeLsEJ2JjvMoASFubaXkLm%2BLCxTy5qBT%3DkaokF-ph%2BGu_kyCg%40mail.gmail.com.