Summary: People don’t have a good understanding of iframes, because
generally, no UI indicates that iframes are visible on a page, or what
their origin is. Permission requests from iframes cause significant
confusion for users because it is hard to determine where the requests come
from, as the address bar does not match the site in the permission prompt.
Currently, Firefox allows iframes on a site to make permission requests and
show up a permission prompt using the origin of the iframes. A user making
a decision based on the third party context presented in the notification
prompt is complicated and confusing. This confusion is exacerbated when
managing previously stored permission decisions.
To address this problem, we would like to impose a restriction on
permissions coming from third party context. There would be two main
changes proposed:
-
Give an ability to delegate permissions from first party to third party
embedded iframes, and impose a restriction to embedded iframes to request
permission only when the iframe’s embedder has explicitly delegated it. The
permission request will use the top level origin to show in the prompt,
then users are only required to make permission decisions about the first
party context.
-
This change is dependent on the ability of Feature Policy to disable
permissions by default in cross-origin iframes. It will require a site to
explicitly allow permissions for cross-origin iframes (setting allow
attribute, e.g allow=”geolocation”) otherwise, the permission
requests will
be denied on that iframes.
-
The change will be applied to geolocation, camera, microphone and
screen-sharing permission, and fullscreen request.
-
Completely deny permissions from third party context for vibration,
notification, and persistent-storage permission.
The plan is:
-
Enable Feature Policy allow attribute.
-
Make permission camera/microphone/geolocation/display-capture/fullscreen
disabled by default in third-party iframe.
-
Delegate Permissions: only cross-origin iframes that have explicit
delegated permission from their parent through the allow attribute will
have the right to make permission requests.
-
Reduce the number of supported features to geolocation, camera,
microphone screen-sharing, and fullscreen (the above features are supported
for permissions UI with notification prompts, except fullscreen). And we
will move all other features to experimental phrase under a user preference
which is disabled by default.
-
Simplify prompts/dialogs to only contain the top-level origin.
-
Deny vibration, persistent-storage permission from third party iframe
(notification permission was disabled in third party context, just do some
minor refactors).
Bug: The tracking bug
https://bugzilla.mozilla.org/show_bug.cgi?id=1572461
Standard: Feature Policy
https://w3c.github.io/webappsec-feature-policy/#iframe-allow-attribute
Platform coverage: All.
Preference:
dom.security.featurePolicy.experimental.enabled: disabled by default, we
will limit supported features in Feature Policy to geolocation, camera,
microphone, fullscreen, display-capture and move others to experimental
phase.
permissions.delegate.enabled: enabled by default
dom.security.featurePolicy.enabled: this pref is implemented in Firefox 65
but enabled by default in Nightly only
Other browsers: Chrome supports permission delegation from Chrome 71.
web-platform-tests: We only have web platform tests for feature policy but
not permission delegation
Some of Feature Policy web-platform-tests that the permissions are disabled
by default in cross origin iframe:
https://searchfox.org/mozilla-central/source/testing/web-platform/meta/feature-policy
testing <
https://searchfox.org/mozilla-central/source/testing>/web-platform
<
https://searchfox.org/mozilla-central/source/testing/web-platform>/tests
<
https://searchfox.org/mozilla-central/source/testing/web-platform/tests>/
permissions
<
https://searchfox.org/mozilla-central/source/testing/web-platform/tests/permissions>
/feature-policy-permissions-query.html
<
https://searchfox.org/mozilla-central/source/testing/web-platform/tests/permissions/feature-policy-permissions-query.html>
testing <
https://searchfox.org/mozilla-central/source/testing>/web-platform
<
https://searchfox.org/mozilla-central/source/testing/web-platform>/tests
<
https://searchfox.org/mozilla-central/source/testing/web-platform/tests>/
mediacapture-streams
<
https://searchfox.org/mozilla-central/source/testing/web-platform/tests/mediacapture-streams>
/MediaStream-default-feature-policy.https.html
<
https://searchfox.org/mozilla-central/source/testing/web-platform/tests/mediacapture-streams/MediaStream-default-feature-policy.https.html>
testing/web-platform/tests/mediacapture-streams/MediaDevices-enumerateDevices-not-allowed-mic.https.html
<
https://phabricator.services.mozilla.com/D42958#change-R6vBFB8IJIFC>
testing/web-platform/tests/mediacapture-streams/MediaDevices-enumerateDevices-not-allowed-camera.https.html
<
https://phabricator.services.mozilla.com/D42958#change-7eOHWcqTIeBw>
testing/web-platform/tests/mediacapture-streams/MediaDevices-enumerateDevices.https.html
<
https://phabricator.services.mozilla.com/D42958#change-pqamxq3whbwg>
Secure contexts: yes.
Is this feature enabled by default in sandboxed iframes? Yes
--
Best regards,
=====================================================
Thomas Nguyen
IRC :
tng...@irc.mozilla.com
Slack: tnguyen
Email:
tng...@mozilla.com
=====================================================