Controlled Frame update: Permissions policy now required in your IWA's manifest

[Chase Phillips]

TL;DR: Add a permissions_policy to your IWA manifest to use Controlled Frame. Read below for exactly what's needed.

Hi all,

As part of our continued work to complete Controlled Frame, we recently landed crrev.com/c/5814831 which now requires the Controlled Frame permissions policy to be enabled in order to provide access to the Controlled Frame API.

To enable the "controlled-frame" permissions policy in your IWA, please modify the manifest's "permissions_policy" field. The new policy uses the same allowlist format as other permissions policies. Here's an example of what the "controlled-frame" policy could look like in your app:

permissions_policy: {

  "controlled-frame": ["self"],

  ...

}

Of course, you may choose to provide a more specific policy tuned to your needs. You can read more about your allowlist options here in these resources:

• Permissions Policy
  
• Permissions-Policy - HTTP | MDN
  
• Controlling browser features with Permissions Policy  |  Privacy & Security  |  Chrome for Developers
  

Let me know if you have any questions,

Chase

[guest271314]

can we use transferable streams between the controlled frame and arbitrary web sites we append the controlled frame to?

--
You received this message because you are subscribed to the Google Groups "iwa-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to iwa-dev+u...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/iwa-dev/CAKcCwFObykDFoadDc_yH%3DRXAwgUscQ1F3eH%2Bthq1yBtbB3BP5g%40mail.gmail.com.

[Chase Phillips]

Controlled Frame is an IWA API and so is only available to IWAs. The IWA would be the only app that you can append the frame to, so no you can't append a Controlled Frame to any arbitrary web site.

I only just read through the transferable streams explainer so I defer to better experts that may correct me. According to that document, it says if you can postMessage between 2 contexts, you could transfer streams between them.

As for postMessage support, if a third party site is embedded in a Controlled Frame, that site can use postMessage using the same rules as what's described in online documentation just as if it was the top level browsing context in a tab or window.

Chase

[guest271314]

Thanks. I was trying to see if using controlled frame would be simpler than the current approaches I am using to communicate with IWAs from arbitrary Web sites.