Intent to Ship: Restrict Gamepad usage

[Tarek ElBahnasawy]

Contact emails

mattre...@google.com

Explainer

https://hacks.mozilla.org/2020/07/securing-gamepad-api/

Specification

https://www.w3.org/TR/gamepad/

https://github.com/w3c/gamepad/pull/112

Design docs

https://docs.google.com/document/d/1Dj_7EpT9ttnI96BuNXtLEJkHEq0orHgoLeYaOBz9xsU/edit?usp=sharing

Summary

Adds a "gamepad" permissions policy-controlled feature. Information about connected gamepads is only provided to contexts that are allowed to access the "gamepad" feature.  Default policy allows cross-origin iframes and does not change behavior on existing sites.

Note that the Securing Gamepad API article and Chrome Platform Status entry also describe a change to require Secure Context. This intent only applies to the policy-controlled feature. The secure context requirement will be communicated in a separate Intent.

Blink component

Blink>GamepadAPI

TAG review

N/A

Risks

Interoperability and Compatibility

Firefox initially rolled out this change with the default allowlist set to 'self' which broke some sites that accessed gamepads from a cross-origin iframe. To avoid breakage, the default allowlist was changed to '*' (all) which has the same behavior as the current implementation. Since the behavior is the same we do not anticipate any breakage.

Gecko: Shipped in Firefox 82

WebKit: No signals

Web developers: Strongly Negative (https://github.com/w3c/gamepad/issues/145) Chris from Megapixel VR asked not to restrict to secure contexts due to breaking locally hosted (but not localhost) services and the use of self-signed certificates.

Other signals: None

Is this feature fully tested by web-platform-tests?

Yes

Flag name

chrome://flags/#restrict-gamepad-access

Requires code in //chrome?

False

Tracking bug

https://bugs.chromium.org/p/chromium/issues/detail?id=1314563

Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5138714634223616

Tarek ElBahnasawy Sr. Technical Program Manager  Web Platform telbah...@google.com

[Yoav Weiss]

On Wed, Apr 20, 2022 at 3:51 AM 'Tarek ElBahnasawy' via blink-dev <blin...@chromium.org> wrote:

Contact emails

mattre...@google.com

Explainer

https://hacks.mozilla.org/2020/07/securing-gamepad-api/

Specification

https://www.w3.org/TR/gamepad/

https://github.com/w3c/gamepad/pull/112

Design docs

https://docs.google.com/document/d/1Dj_7EpT9ttnI96BuNXtLEJkHEq0orHgoLeYaOBz9xsU/edit?usp=sharing

Summary

Adds a "gamepad" permissions policy-controlled feature. Information about connected gamepads is only provided to contexts that are allowed to access the "gamepad" feature.  Default policy allows cross-origin iframes and does not change behavior on existing sites.

Note that the Securing Gamepad API article and Chrome Platform Status entry also describe a change to require Secure Context. This intent only applies to the policy-controlled feature. The secure context requirement will be communicated in a separate Intent.

Blink component

Blink>GamepadAPI

TAG review

N/A

Risks

Interoperability and Compatibility

Firefox initially rolled out this change with the default allowlist set to 'self' which broke some sites that accessed gamepads from a cross-origin iframe. To avoid breakage, the default allowlist was changed to '*' (all) which has the same behavior as the current implementation. Since the behavior is the same we do not anticipate any breakage.

Gecko: Shipped in Firefox 82

WebKit: No signals

Web developers: Strongly Negative (https://github.com/w3c/gamepad/issues/145) Chris from Megapixel VR asked not to restrict to secure contexts due to breaking locally hosted (but not localhost) services and the use of self-signed certificates.

Is it correct to think that since this intent doesn't change the secure context requirements for the API, this signal is not meaningful here?

More broadly, since the Permission Policy's default will be `*`, the top-level origin would need to change their policy for embedded contexts to lose their permission, right?

 

Other signals: None

Is this feature fully tested by web-platform-tests?

Yes

Flag name

chrome://flags/#restrict-gamepad-access

Requires code in //chrome?

False

Tracking bug

https://bugs.chromium.org/p/chromium/issues/detail?id=1314563

Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5138714634223616

Tarek ElBahnasawy Sr. Technical Program Manager  Web Platform telbah...@google.com

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAKfE4fJX8VOe1imhcv1AGZdg7EKMoDeO-_So5OemGv2pCeGiRQ%40mail.gmail.com.

[Matt Reynolds]

> Is it correct to think that since this intent doesn't change the secure context requirements for the API, this signal is not meaningful here?

Yes, this was feedback for the secure context change and isn't relevant here. We decided to communicate the secure context change in a separate intent but forgot to remove the feedback.

> More broadly, since the Permission Policy's default will be `*`, the top-level origin would need to change their policy for embedded contexts to lose their permission, right?

Correct.

[Yoav Weiss]

LGTM1

[Tarek ElBahnasawy]

Hi guys,

Any other comments or concerns?

Tarek ElBahnasawy Sr. Technical Program Manager  Web Platform telbah...@google.com

[Daniel Bratell]

LGTM2

/Daniel

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAKfE4fLqQ5bf7kVD5Dnf0M1%3DY5%2B3WscWTddrXcz9kpO-k-C_yg%40mail.gmail.com.

[rego via Chromestatus]

LGTM3

[jmedley via Chromestatus]

Which version of Chrome are you hoping to ship this in?

[Hongchan Choi]

We're looking at M103.

On Mon, Apr 25, 2022 at 7:33 AM jmedley via Chromestatus <admin+...@cr-status.appspotmail.com> wrote:

Which version of Chrome are you hoping to ship this in?

--

You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/00000000000039989e05dd7b742d%40google.com.

[Matt Reynolds]

Chrome 103

On Mon, Apr 25, 2022 at 7:33 AM jmedley via Chromestatus <admin+...@cr-status.appspotmail.com> wrote:

Which version of Chrome are you hoping to ship this in?

--

[Artur Janc]

Hey folks,

Can you share a little bit about your future plans to restrict the use of Gamepad API? Implementing Permissions Policy integration sounds good, but without the restriction to secure contexts and changing the default allowlist to 'self' it doesn't seem like we're substantially locking down the API. Are you planning to do this in subsequent intents?

Thanks!

-Artur

[Matt Reynolds]

Yes, there will be a separate intent for the change to require a secure context. We're making this change first since it's not expected to break anything while the secure context change will break API access from non-secure contexts.

I put together some notes on my current plans in Securing Gamepad API in Chrome and will update that if anything changes.

- Matt

[Artur Janc]

Great, thanks for the update.

-A