PSA: getUserMedia usage from cross-origin iframes will be deprecated in Chrome 63

[Raymes Khoury]

Hi there,

We are planning to deprecate the usage of getUserMedia from cross-origin iframes by default in Chrome M63. In order to continue to use getUserMedia from cross-origin iframes, the parent document will need to explicitly allow camera and/or microphone access to the iframe using a Feature Policy, e.g.:

<iframe src="https://example.com" allow="microphone camera"></iframe>

A console deprecation warning will be included in Chrome M61 which will notify developers when attempts are made to use these features from cross-origin iframes.

More details on the change can be found here: https://sites.google.com/a/chromium.org/dev/Home/chromium-security/deprecating-permissions-in-cross-origin-iframes

Cheers,

Raymes

[PhistucK]

It would be great if you made sure that this is somehow announced on Google Developers Update as well (it is more web developer friendly than a chromium.org Google Site).

Example -

https://developers.google.com/web/updates/2017/06/credential-management-updates

(I added Joe to the discussion, perhaps some announcement is already in flight)

☆PhistucK

--

---
You received this message because you are subscribed to the Google Groups "discuss-webrtc" group.
To unsubscribe from this group and stop receiving emails from it, send an email to discuss-webrtc+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/discuss-webrtc/CAEYdGOXAx2%3DrVr5wg0oejSW_wyzZfU0Pf1u_c%2Bs37ymhNSX-3w%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Saúl Ibarra Corretgé]

Hi,

Thanks for the heads up!

> On Jul 6, 2017, at 01:40, 'Raymes Khoury' via discuss-webrtc <discuss...@googlegroups.com> wrote:
>
> Hi there,
>
> We are planning to deprecate the usage of getUserMedia from cross-origin iframes by default in Chrome M63. In order to continue to use getUserMedia from cross-origin iframes, the parent document will need to explicitly allow camera and/or microphone access to the iframe using a Feature Policy, e.g.:
>
> <iframe src="https://example.com" allow="microphone camera"></iframe>
>
> A console deprecation warning will be included in Chrome M61 which will notify developers when attempts are made to use these features from cross-origin iframes.
>

Is this already available in Canary?


Cheers,

> More details on the change can be found here: https://sites.google.com/a/chromium.org/dev/Home/chromium-security/deprecating-permissions-in-cross-origin-iframes
>
> Cheers,
> Raymes
>

> --
>
> ---
> You received this message because you are subscribed to the Google Groups "discuss-webrtc" group.

> To unsubscribe from this group and stop receiving emails from it, send an email to discuss-webrt...@googlegroups.com.

> To view this discussion on the web visit https://groups.google.com/d/msgid/discuss-webrtc/CAEYdGOXAx2%3DrVr5wg0oejSW_wyzZfU0Pf1u_c%2Bs37ymhNSX-3w%40mail.gmail.com.
> For more options, visit https://groups.google.com/d/optout.

--
Saúl

[Xander Dumaine]

How will this affect screen capture? We do cross origin iframe screen capture by messaging between the frame and the host page, and between the host page and the chrome extension. This is critical business functionality for us, as we do embedded customer support.

See https://github.com/mypurecloud/iframe-screenshare for details on how the cross origin iframe screen capture works today.

[Raymes Khoury]

I had previously looped in Joe to include an update in the deprecation blog post :) Thanks!

On Thursday, 6 July 2017 16:25:24 UTC+10, PhistucK wrote:

It would be great if you made sure that this is somehow announced on Google Developers Update as well (it is more web developer friendly than a chromium.org Google Site).

Example -

https://developers.google.com/web/updates/2017/06/credential-management-updates

(I added Joe to the discussion, perhaps some announcement is already in flight)

☆PhistucK

On Thu, Jul 6, 2017 at 2:40 AM, 'Raymes Khoury' via discuss-webrtc <discuss...@googlegroups.com> wrote:

Hi there,

We are planning to deprecate the usage of getUserMedia from cross-origin iframes by default in Chrome M63. In order to continue to use getUserMedia from cross-origin iframes, the parent document will need to explicitly allow camera and/or microphone access to the iframe using a Feature Policy, e.g.:

<iframe src="https://example.com" allow="microphone camera"></iframe>

A console deprecation warning will be included in Chrome M61 which will notify developers when attempts are made to use these features from cross-origin iframes.

More details on the change can be found here: https://sites.google.com/a/chromium.org/dev/Home/chromium-security/deprecating-permissions-in-cross-origin-iframes

Cheers,

Raymes

--

---
You received this message because you are subscribed to the Google Groups "discuss-webrtc" group.

To unsubscribe from this group and stop receiving emails from it, send an email to discuss-webrt...@googlegroups.com.

[Raymes Khoury]

This isn't available in Canary yet.

[Raymes Khoury]

Thanks for raising the point about screen capture. Since screen capture is not currently implemented on the web platform in Chrome (i.e., it requires an extension) and the feature policy feature specifically refers to "camera" devices, I'm going to say that this will not impact screen capture. If anything changes I'll make sure we give sufficient notice and an update before shipping. 

[PhistucK]

I think this is the one - crbug.com/689802.

☆PhistucK

On Fri, Aug 4, 2017 at 8:49 PM, Joe Medley <jme...@google.com> wrote:

PhistucK,

Sorry for the late reply. 

Thanks for including me. Do you have a tracking bug?

Joe Medley | Technical Writer, Chrome DevRel | jme...@google.com | 816-678-7195

If an API's not documented it doesn't exist.

On Wed, Jul 5, 2017 at 11:24 PM, PhistucK <phis...@gmail.com> wrote:

It would be great if you made sure that this is somehow announced on Google Developers Update as well (it is more web developer friendly than a chromium.org Google Site).

Example -

https://developers.google.com/web/updates/2017/06/credential-management-updates

(I added Joe to the discussion, perhaps some announcement is already in flight)

☆PhistucK

[Magestican Mizuten]

On 63 this is currently showing an error saying "old syntax has been deprecated", this is because allow="camera,microphone" should be used instead of allow="camera microphone"

Regards

[PhistucK]

The intent to deprecate and remove thread says that you are supposed to use semicolons and not commas to separate the feature tokens, like the Content Security Policy syntax.

☆PhistucK

--

---
You received this message because you are subscribed to the Google Groups "discuss-webrtc" group.
To unsubscribe from this group and stop receiving emails from it, send an email to discuss-webrtc+unsubscribe@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/discuss-webrtc/290bd747-0187-4821-9665-cbb6bd75c746%40googlegroups.com.

[Ian Clelland]

On Wednesday, September 6, 2017 at 3:19:12 AM UTC-4, PhistucK wrote:

The intent to deprecate and remove thread says that you are supposed to use semicolons and not commas to separate the feature tokens, like the Content Security Policy syntax.

Yes, semicolons are definitely the way to go -- it looks like the console deprecation message doesn't actually guide developers as to what to do, I'll see about updating that, thanks. 

Commas *are* actually supported, though not intentionally, as a side effect of using the same syntax for HTTP header parsing. HTTP headers can be implicitly combined with commas, so we handle that case naturally as well.

Also, note that this isn't actually an error, just a warning for now, and we're continuing to support the space-separated syntax for at least one release, to give developers (and documentation authors) a chance to switch over.

Ian

☆PhistucK

On Wed, Sep 6, 2017 at 5:47 AM, Magestican Mizuten <magestican...@gmail.com> wrote:

On 63 this is currently showing an error saying "old syntax has been deprecated", this is because allow="camera,microphone" should be used instead of allow="camera microphone"

Regards

On Thursday, July 6, 2017 at 4:07:59 PM UTC+10, Raymes Khoury wrote:

Hi there,

We are planning to deprecate the usage of getUserMedia from cross-origin iframes by default in Chrome M63. In order to continue to use getUserMedia from cross-origin iframes, the parent document will need to explicitly allow camera and/or microphone access to the iframe using a Feature Policy, e.g.:

<iframe src="https://example.com" allow="microphone camera"></iframe>

A console deprecation warning will be included in Chrome M61 which will notify developers when attempts are made to use these features from cross-origin iframes.

More details on the change can be found here: https://sites.google.com/a/chromium.org/dev/Home/chromium-security/deprecating-permissions-in-cross-origin-iframes

Cheers,

Raymes

--

---
You received this message because you are subscribed to the Google Groups "discuss-webrtc" group.

To unsubscribe from this group and stop receiving emails from it, send an email to discuss-webrt...@googlegroups.com.

[Philipp Hancke]

have you considered reaching out to folks like jsfiddle and jsbin? Both seem affected by this even now.

--

---
You received this message because you are subscribed to the Google Groups "discuss-webrtc" group.

To unsubscribe from this group and stop receiving emails from it, send an email to discuss-webrtc+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/discuss-webrtc/CAEYdGOXAx2%3DrVr5wg0oejSW_wyzZfU0Pf1u_c%2Bs37ymhNSX-3w%40mail.gmail.com.

[Raymes Khoury]

As Ian noted, the documented syntax is now to use semi-colons to separate features, not spaces or commas e.g.

<iframe src="https://example.com" allow="microphone; camera"></iframe>

On Mon, 11 Sep 2017 at 10:36 Magestican Mizuten <magestican...@gmail.com> wrote:

The solution is <iframe src="https://example.com" allow="microphone,camera"></iframe>

You need a space instead of a comma.

On Thursday, July 6, 2017 at 4:07:59 PM UTC+10, Raymes Khoury wrote:

--

---
You received this message because you are subscribed to a topic in the Google Groups "discuss-webrtc" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/discuss-webrtc/32natnrbP6U/unsubscribe.
To unsubscribe from this group and all its topics, send an email to discuss-webrt...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/discuss-webrtc/0b2b7d66-0f53-4906-9eef-dd7ef1282ee2%40googlegroups.com.

[Ravindran Antonysamy]

In M63 I still see this allowed, but in M64 Its serving me "NotAllowedError".

Do you still consider this to be deprecated in M63 ? 

/Regards, Ravi 

[Ian Clelland]

Which part is not allowed? The space-separated list, or camera / microphone access at all?

The current Canary should still be accepting the space-separated terms syntax, but that will be going away soon -- I'm not sure exactly when. You should probably switch to semicolons if that's the issue that you're facing.

If you want to delegate permission for camera and microphone access into cross-origin iframes in M64, I believe it is now mandatory that you use the allow attribute (or an equivalent HTTP header) in every frame from the top-level to the frame which actually calls getUserMedia. If you do that, then the embedded frames can request camera/microphone, and the user will be prompted for permission by the top-level page. If the user denies that permission, you'll see the "NotAllowedError" in that case too.

--

---
You received this message because you are subscribed to a topic in the Google Groups "discuss-webrtc" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/discuss-webrtc/32natnrbP6U/unsubscribe.

To unsubscribe from this group and all its topics, send an email to discuss-webrtc+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/discuss-webrtc/5f6c8393-afff-474f-8182-42389385652a%40googlegroups.com.

[Raymes Khoury]

To add to what Ian said, and address your observation, this deprecation was bumped back from M63 to M64. Sorry for not updating this thread!

To unsubscribe from this group and all its topics, send an email to discuss-webrt...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/discuss-webrtc/5f6c8393-afff-474f-8182-42389385652a%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

---
You received this message because you are subscribed to a topic in the Google Groups "discuss-webrtc" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/discuss-webrtc/32natnrbP6U/unsubscribe.

To unsubscribe from this group and all its topics, send an email to discuss-webrt...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/discuss-webrtc/CAK_TSXLvnZuUvJEt%2B713scv_SCVw%3DNiCiFmKfqTQXxTKi1hKaQ%40mail.gmail.com.

[Junji Sawada]

Hi Raymes,

I'm currently testing this new Feature Policy for microphone using a parent document that has an iframe in it.

I'm using Version 65.0.3319.0 (Official Build) canary (64-bit).

If the parent document loads a cross-domain page directly into the iframe, the iframe's allow attribute for microphone seems to work, but 

if the parent document loads a cross-domain page that redirects to a yet another (cross-domain) page, the iframe's allow attribute for microphone does not seem to take effect.

Do you know if that is intentional or if there is any workaround?

I hope this is the right place to ask this kind of question.
Please let me know if it's not.

Thank you!

Junji

On Thursday, July 6, 2017 at 2:07:59 AM UTC-4, Raymes Khoury wrote:

[Ian Clelland]

On Mon, Jan 15, 2018 at 3:19 AM Junji Sawada <junji....@gmail.com> wrote:

Hi Raymes,

I'm currently testing this new Feature Policy for microphone using a parent document that has an iframe in it.

I'm using Version 65.0.3319.0 (Official Build) canary (64-bit).

If the parent document loads a cross-domain page directly into the iframe, the iframe's allow attribute for microphone seems to work, but 

if the parent document loads a cross-domain page that redirects to a yet another (cross-domain) page, the iframe's allow attribute for microphone does not seem to take effect.

Do you know if that is intentional or if there is any workaround?

That is intentional -- by default, <iframe allow="microphone" src="...."> allows the microphone feature for the domain that you've actually specified through the src attribute. If that page redirects somewhere else, it will be blocked, unless it then redirects back to that original origin again.

(If we didn't do this, then we'd potentially be opening up microphone access to the entire web without the developer knowing)

If you know the origin of the page that you want to grant access to, you can do something like this:

<iframe src="https://example.com/" allow="microphone https://authorized.com https://example.com; camera https://photo-site.com">

Or, if you really do want to grant camera and mic access to any site which ends up in that frame, then this will work for every domain:

<iframe src="https://example.com/" allow="microphone *; camera *">

The "*" in that case will match every origin, so any content that the frame redirects to will also have microphone and camera access granted.

 

I hope this is the right place to ask this kind of question.
Please let me know if it's not.

Thank you!

Junji

On Thursday, July 6, 2017 at 2:07:59 AM UTC-4, Raymes Khoury wrote:

Hi there,

We are planning to deprecate the usage of getUserMedia from cross-origin iframes by default in Chrome M63. In order to continue to use getUserMedia from cross-origin iframes, the parent document will need to explicitly allow camera and/or microphone access to the iframe using a Feature Policy, e.g.:

<iframe src="https://example.com" allow="microphone camera"></iframe>

A console deprecation warning will be included in Chrome M61 which will notify developers when attempts are made to use these features from cross-origin iframes.

More details on the change can be found here: https://sites.google.com/a/chromium.org/dev/Home/chromium-security/deprecating-permissions-in-cross-origin-iframes

Cheers,

Raymes

--

---
You received this message because you are subscribed to a topic in the Google Groups "discuss-webrtc" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/discuss-webrtc/32natnrbP6U/unsubscribe.
To unsubscribe from this group and all its topics, send an email to discuss-webrt...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/discuss-webrtc/5a355298-438e-487a-83a3-0f52da28f0d7%40googlegroups.com.

[Junji Sawada]

Thank you. That makes sense.