Intent to Ship: Restrict Gamepad usage

211 views
Skip to first unread message

Tarek ElBahnasawy

unread,
Apr 19, 2022, 9:51:46 PMApr 19
to blin...@chromium.org, Joshua Bell, Hongchan Choi, Matt Reynolds

Contact emails

mattre...@google.com


Explainer

https://hacks.mozilla.org/2020/07/securing-gamepad-api/


Specification

https://www.w3.org/TR/gamepad/

https://github.com/w3c/gamepad/pull/112


Design docs

https://docs.google.com/document/d/1Dj_7EpT9ttnI96BuNXtLEJkHEq0orHgoLeYaOBz9xsU/edit?usp=sharing


Summary

Adds a "gamepad" permissions policy-controlled feature. Information about connected gamepads is only provided to contexts that are allowed to access the "gamepad" feature.  Default policy allows cross-origin iframes and does not change behavior on existing sites.


Note that the Securing Gamepad API article and Chrome Platform Status entry also describe a change to require Secure Context. This intent only applies to the policy-controlled feature. The secure context requirement will be communicated in a separate Intent.


Blink component

Blink>GamepadAPI


TAG review

N/A


Risks



Interoperability and Compatibility

Firefox initially rolled out this change with the default allowlist set to 'self' which broke some sites that accessed gamepads from a cross-origin iframe. To avoid breakage, the default allowlist was changed to '*' (all) which has the same behavior as the current implementation. Since the behavior is the same we do not anticipate any breakage.


Gecko: Shipped in Firefox 82


WebKit: No signals


Web developers: Strongly Negative (https://github.com/w3c/gamepad/issues/145) Chris from Megapixel VR asked not to restrict to secure contexts due to breaking locally hosted (but not localhost) services and the use of self-signed certificates.


Other signals: None



Is this feature fully tested by web-platform-tests?

Yes


Flag name

chrome://flags/#restrict-gamepad-access


Requires code in //chrome?

False


Tracking bug

https://bugs.chromium.org/p/chromium/issues/detail?id=1314563


Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5138714634223616


Tarek ElBahnasawy

Sr. Technical Program Manager 

Web Platform

telbah...@google.com

Yoav Weiss

unread,
Apr 20, 2022, 7:45:26 AMApr 20
to Tarek ElBahnasawy, blink-dev, Joshua Bell, Hongchan Choi, Matt Reynolds
On Wed, Apr 20, 2022 at 3:51 AM 'Tarek ElBahnasawy' via blink-dev <blin...@chromium.org> wrote:

Contact emails

mattre...@google.com


Explainer

https://hacks.mozilla.org/2020/07/securing-gamepad-api/


Specification

https://www.w3.org/TR/gamepad/

https://github.com/w3c/gamepad/pull/112


Design docs

https://docs.google.com/document/d/1Dj_7EpT9ttnI96BuNXtLEJkHEq0orHgoLeYaOBz9xsU/edit?usp=sharing


Summary

Adds a "gamepad" permissions policy-controlled feature. Information about connected gamepads is only provided to contexts that are allowed to access the "gamepad" feature.  Default policy allows cross-origin iframes and does not change behavior on existing sites.


Note that the Securing Gamepad API article and Chrome Platform Status entry also describe a change to require Secure Context. This intent only applies to the policy-controlled feature. The secure context requirement will be communicated in a separate Intent.


Blink component

Blink>GamepadAPI


TAG review

N/A


Risks



Interoperability and Compatibility

Firefox initially rolled out this change with the default allowlist set to 'self' which broke some sites that accessed gamepads from a cross-origin iframe. To avoid breakage, the default allowlist was changed to '*' (all) which has the same behavior as the current implementation. Since the behavior is the same we do not anticipate any breakage.


Gecko: Shipped in Firefox 82


WebKit: No signals


Web developers: Strongly Negative (https://github.com/w3c/gamepad/issues/145) Chris from Megapixel VR asked not to restrict to secure contexts due to breaking locally hosted (but not localhost) services and the use of self-signed certificates.


Is it correct to think that since this intent doesn't change the secure context requirements for the API, this signal is not meaningful here?
More broadly, since the Permission Policy's default will be `*`, the top-level origin would need to change their policy for embedded contexts to lose their permission, right?
 

Other signals: None



Is this feature fully tested by web-platform-tests?

Yes


Flag name

chrome://flags/#restrict-gamepad-access


Requires code in //chrome?

False


Tracking bug

https://bugs.chromium.org/p/chromium/issues/detail?id=1314563


Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5138714634223616


Tarek ElBahnasawy

Sr. Technical Program Manager 

Web Platform

telbah...@google.com

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAKfE4fJX8VOe1imhcv1AGZdg7EKMoDeO-_So5OemGv2pCeGiRQ%40mail.gmail.com.

Matt Reynolds

unread,
Apr 20, 2022, 1:54:48 PMApr 20
to blink-dev, yoav...@chromium.org, blink-dev, Joshua Bell, Hongchan Choi, Matt Reynolds, Tarek ElBahnasawy
> Is it correct to think that since this intent doesn't change the secure context requirements for the API, this signal is not meaningful here?

Yes, this was feedback for the secure context change and isn't relevant here. We decided to communicate the secure context change in a separate intent but forgot to remove the feedback.

> More broadly, since the Permission Policy's default will be `*`, the top-level origin would need to change their policy for embedded contexts to lose their permission, right?

Correct.

Yoav Weiss

unread,
Apr 21, 2022, 1:38:12 AMApr 21
to blink-dev, mattre...@google.com, Yoav Weiss, blink-dev, Joshua Bell, Hongchan Choi, telbah...@google.com
LGTM1

Tarek ElBahnasawy

unread,
Apr 22, 2022, 2:52:46 PMApr 22
to Yoav Weiss, blink-dev, mattre...@google.com, Joshua Bell, Hongchan Choi
Hi guys,

Any other comments or concerns?

Tarek ElBahnasawy

Sr. Technical Program Manager 

Web Platform

telbah...@google.com


Daniel Bratell

unread,
Apr 25, 2022, 7:31:25 AMApr 25
to Tarek ElBahnasawy, Yoav Weiss, blink-dev, mattre...@google.com, Joshua Bell, Hongchan Choi

rego via Chromestatus

unread,
Apr 25, 2022, 7:59:29 AMApr 25
to blin...@chromium.org
LGTM3

jmedley via Chromestatus

unread,
Apr 25, 2022, 10:33:08 AMApr 25
to blin...@chromium.org
Which version of Chrome are you hoping to ship this in?

Hongchan Choi

unread,
Apr 26, 2022, 2:09:47 PMApr 26
to jmedley via Chromestatus, blin...@chromium.org
We're looking at M103.

On Mon, Apr 25, 2022 at 7:33 AM jmedley via Chromestatus <admin+...@cr-status.appspotmail.com> wrote:
Which version of Chrome are you hoping to ship this in?

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.

Matt Reynolds

unread,
Apr 26, 2022, 2:10:17 PMApr 26
to jmedley via Chromestatus, 'Joe Medley' via blink-dev
Chrome 103

On Mon, Apr 25, 2022 at 7:33 AM jmedley via Chromestatus <admin+...@cr-status.appspotmail.com> wrote:
Which version of Chrome are you hoping to ship this in?

--

Artur Janc

unread,
Apr 27, 2022, 4:45:16 AMApr 27
to blink-dev, Matt Reynolds, 'Joe Medley' via blink-dev, jmedley via Chromestatus
Hey folks,

Can you share a little bit about your future plans to restrict the use of Gamepad API? Implementing Permissions Policy integration sounds good, but without the restriction to secure contexts and changing the default allowlist to 'self' it doesn't seem like we're substantially locking down the API. Are you planning to do this in subsequent intents?

Thanks!
-Artur

Matt Reynolds

unread,
Apr 27, 2022, 10:58:02 PMApr 27
to Artur Janc, 'Joe Medley' via blink-dev, jmedley via Chromestatus
Yes, there will be a separate intent for the change to require a secure context. We're making this change first since it's not expected to break anything while the secure context change will break API access from non-secure contexts.

I put together some notes on my current plans in Securing Gamepad API in Chrome and will update that if anything changes.

- Matt

Artur Janc

unread,
Apr 28, 2022, 4:56:08 AMApr 28
to Matt Reynolds, 'Joe Medley' via blink-dev, jmedley via Chromestatus
Great, thanks for the update.

-A
Reply all
Reply to author
Forward
0 new messages