Feature request: add 'allow-geolocation' to IFRAME sandbox mode in HtmlService

276 views
Skip to first unread message

My Routes

unread,
Nov 1, 2017, 4:26:44 PM11/1/17
to Google Caja Discuss
Due to announced deprecating permissions in cross-origin IFrames

https://sites.google.com/a/chromium.org/dev/Home/chromium-security/deprecating-permissions-in-cross-origin-iframes

every call for geolocation from HtmlService based frame causes a warning in Chrome 61:

[Deprecation] getCurrentPosition and watchPosition usage in cross-origin iframes is deprecated and will be disabled in M63, around December 2017. To continue to use this feature, it must be enabled by the embedding document using Feature Policy, e.g. <iframe allow="geolocation" ...>. See https://goo.gl/EuHzyv for more details.

In order for a cross-origin frame to use these feature, the Google Script HtmlService based frame must specify a Feature Policy which enables the feature for the frame. For example, to enable geolocation in an iframe the developer should be able to specify the iframe mode in scope of HtmlService.XFrameOptionsMode.ALLOWALL.

This new feature requested in the apps script support blog. You can vote for it.

Kevin Reid

unread,
Nov 3, 2017, 1:43:54 PM11/3/17
to Google Caja Discuss
On Wed, Nov 1, 2017 at 8:20 AM, My Routes <myro...@gmail.com> wrote:
In order for a cross-origin frame to use these feature, the Google Script HtmlService based frame must specify a Feature Policy which enables the feature for the frame. For example, to enable geolocation in an iframe the developer should be able to specify the iframe mode in scope of HtmlService.XFrameOptionsMode.ALLOWALL.

This new feature requested in the apps script support blog. You can vote for it.

Apps Script IFRAME sandbox mode is not based on Caja, so we cannot help you with getting this feature, sorry.
Reply all
Reply to author
Forward
0 new messages