Intent to Ship: web-share permission policy

139 views
Skip to first unread message

Eric Willigers

unread,
Nov 17, 2022, 5:17:13 PM11/17/22
to blink-dev
Contact emails

Explainer

Specification
https://w3c.github.io/web-share/#permissions-policy

Summary
A new permission policy, "web-share", controls access to navigator.share().

The default allowlist is 'self', avoiding possible abuse by third party iframes.

Link to blink-dev discussion

Blink component
Blink>WebShare


TAG review
Not needed, trivial change to existing spec

TAG review status
Not applicable


Risks

Interoperability and Compatibility

navigator.share() is called by embedded iframes. These may expect share() calls to succeed, when now they will fail if permission has not been granted.


Firefox has successfully shipped the feature.


Failures were observed with YouTube, these have now been addressed. 




Gecko: Shipped/Shipping (https://github.com/w3c/web-share/pull/252)


WebKit: Shipped/Shipping (https://github.com/w3c/web-share/issues/169) CL recently merged: https://github.com/WebKit/WebKit/commit/ded7a6094a6ca38833e63a7915b7b6a2832f5734


Web developers: No signals


Other signals:


WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?

N/A - Web Share API is not enabled in WebView.



Debuggability
No DevTools changes needed.

Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?

No

The Permissions Policy will be supported on all platforms that support Web Share API. Currently, this is Android, Chrome OS, Windows.


Is this feature fully tested by web-platform-tests?
Yes

Flag name

Requires code in //chrome?
False


Tracking bug

Sample links

Estimated milestones
M110

Anticipated spec changes

-


Link to entry on the Chrome Platform Status

Yoav Weiss

unread,
Nov 18, 2022, 4:25:47 AM11/18/22
to Eric Willigers, blink-dev
LGTM1

Thanks for catching us up here! :)

On Thu, Nov 17, 2022 at 11:18 PM Eric Willigers <ericwi...@chromium.org> wrote:
Contact emails

Explainer

Specification
https://w3c.github.io/web-share/#permissions-policy

Summary
A new permission policy, "web-share", controls access to navigator.share().

The default allowlist is 'self', avoiding possible abuse by third party iframes.

Link to blink-dev discussion

Blink component
Blink>WebShare


TAG review
Not needed, trivial change to existing spec

A better reasoning would be that we're aligning to shipped behavior in other engines.
 
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/e4303ef1-c709-4f90-b97b-e2fc4b0f2e2bn%40chromium.org.

Mike Taylor

unread,
Nov 18, 2022, 10:24:43 AM11/18/22
to Yoav Weiss, Eric Willigers, blink-dev
LGTM2. I think we should expect some compat issues with this change, but they're currently the ones experienced by Safari and Firefox:


Do we have any plans to make the developer community aware of the need to delegate web-share permission to iframes now? Maybe a blog post in the works?

Mike West

unread,
Nov 22, 2022, 3:14:46 AM11/22/22
to blink-dev, Mike Taylor, blink-dev, Yoav Weiss, Eric Willigers
LGTM3.

-mike

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.

Marcos Caceres

unread,
Feb 1, 2023, 12:02:26 PM2/1/23
to blink-dev, mk...@chromium.org, mike...@chromium.org, blink-dev, yoav...@chromium.org, Eric Willigers
Hi Blink-Dev friends,
 
Over on the WebKit side we published a PSA for developers about the permission policy change:

As this change affects all browsers and quite a few sites, it would be amazing if folks doing developer relations on the Blink side could help spread the word through your dev channels.

Thanks in advance! 🙏

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.

Thomas Steiner

unread,
Feb 1, 2023, 12:16:15 PM2/1/23
to Marcos Caceres, Eric Willigers, blink-dev, mike...@chromium.org, mk...@chromium.org, yoav...@chromium.org
Thanks, Marcos. I’ll take care on the Chrome side. 

Cheers,
Tom

--
Thomas Steiner, PhD—Developer Relations Engineer (https://blog.tomayac.comhttps://twitter.com/tomayac)

Google Germany GmbH, ABC-Str. 19, 20354 Hamburg, Germany
Geschäftsführer: Paul Manicle, Liana Sebastian
Registergericht und -nummer: Hamburg, HRB 86891

----- BEGIN PGP SIGNATURE -----
Version: GnuPG v2.3.4 (GNU/Linux)

iFy0uwAntT0bE3xtRa5AfeCheCkthAtTh3reSabiGbl0ck0fjumBl3DCharaCTersAttH3b0ttom.hTtPs://xKcd.cOm/1181/
----- END PGP SIGNATURE -----

Thomas Steiner

unread,
Feb 2, 2023, 4:43:05 AM2/2/23
to Thomas Steiner, Marcos Caceres, Eric Willigers, blink-dev, mike...@chromium.org, mk...@chromium.org, yoav...@chromium.org
On Wed, Feb 1, 2023 at 6:15 PM Thomas Steiner <to...@google.com> wrote:
Thanks, Marcos. I’ll take care on the Chrome side. 

Here's the PR: https://github.com/GoogleChrome/web.dev/pull/9494. I will also get an additional quick blog post out.

Cheers,
Tom

Thomas Steiner

unread,
Feb 3, 2023, 9:48:08 AM2/3/23
to Thomas Steiner, Marcos Caceres, Eric Willigers, blink-dev, mike...@chromium.org, mk...@chromium.org, yoav...@chromium.org
Aaaaand the full announcement blog post PR is merged, too: https://github.com/GoogleChrome/developer.chrome.com/pull/5143. We're all covered.

(In case you're wondering: the post is on developer.chrome.com and not on web.dev (as the original Web Share post) because the WebKit change is in TP, but not in a released version yet.) 

Reply all
Reply to author
Forward
0 new messages