Make allowfullscreen and allowusermedia match implementations #1492
Conversation
|
We've implemented fullscreen sandboxing, but fine to remove it given no other browser does that. |
|
Why isn't allowusermedia a sandbox flag directly instead of adding something aligned with allowfullscreen attribute? |
|
Presumably they want to allow it outside sandboxed |
|
Isn't usermedia allowed by default if not sandboxed? |
|
Presumably not in an |
|
I don't see anything in either our codebase or Chromium's codebase includes |
|
There's a problem with walking the parent iframes when you have out-of-process iframes, you can't actually check that synchronously. There was some discussion about this in https://docs.google.com/document/d/1PkpVsDiGlpsGv4vbViHoa2zmzrjCWSy2ASwGl3KR0FE/edit?usp=sharing |
|
@upsuper, this isn't really the place to have that discussion. The folks working on Media Capture and Streams made that call and I assume they have some reason as to why it's okay. @foolip, numerous APIs have that problem today. I'm hoping those working on that have some idea as to how they are going to update the standards. For now though, this is how browsers implement this. |
|
@foolip If Chrome is fine to live with that compability issue, we can do so as well. And if you can ship that change to release in this year (not necessarily with unprefixed API), I would make the current state ride the train to the release. I don't think it is something worth adding another flag... |
|
Let's not assume that everyone has considered all of the implications for compat. Does anyone know where that discussion was had for Media Capture and Streams? Without telemetry, it's hard to have any confidence that changing the default from allow to disallow will work out. |
It looks like the way it was implemented in Chromium is to replicate the attribute values on a proxy object in the other process. I guess that's not possible to distinguish from what you've proposed here. |
|
@annevk OK, it seems Chrome disallows gUM in |
This bug issue is not about changing defaults. It is only about removing the sandbox association and making the check dynamic, for both allow* attributes, to match implementations for allowfullscreen and match the intent for allowusermedia. It's a little frustrating to discuss all kinds of unrelated matters in a PR that is solely about improving compatibility with implementations. |
Oh, it seems Gecko has something similiar, and I guess this would work. |
|
OK, so this change looks good to me. |
|
Can someone explain to me what the difference is between a dynamic check, as in this PR, and the sandboxing-based version---if we fixed all the bugs with copying the sandboxing flags around? I always thought the reason allowfullscreen/allowusermedia were stored in the same place as the sandbox flag was purely for spec organization purposes, and I still kind of prefer the idea of grouping them all together. If there is a difference, I think explaining it would be an important part of the commit message here. |
| <p>The <dfn><code data-x="attr-iframe-allowusermedia">allowusermedia</code></dfn> attribute is a | ||
| <span>boolean attribute</span>. When specified, it indicates that <code>Document</code> objects in | ||
| the <code>iframe</code> element's <span>browsing context</span> are to be allowed to use <code | ||
| data-x="dom-MediaDevices-getUserMedia">getUserMedia()</code> (if it's not blocked for other | ||
| reasons, e.g. there is another ancestor <code>iframe</code> without this attribute set).</p> | ||
|
|
||
| <div w-nodev> | ||
| <p id="fullscreen-logic">To determine whether <code>Document</code> object <var>document</var> is | ||
| <dfn>allowed to use</dfn> a feature indicated by attribute name <var>allowattribute</var>, run |
There was a problem hiding this comment.
How would specs call this? Something like
If document is allowed to use the feature indicated by the attribute name "allowusermedia"
? Seems kind of verbose... I don't have any specific better suggestions though.
|
I had a quick look, and this PR seems fine to me (but I hope someone will check more thoroughly). |
|
@domenic the difference is when the attribute is observed. |
|
Can you be more specific? For example, showing some sample code that would cause different results? |
|
Sure, just set the attribute post-load. Works in browsers, doesn't work per spec. |
|
Ah I see, thanks. I think that would be good to include in the eventual commit message. |
Fullscreen sandboxing was never implemented and it appears there are no immediate plans for it by either Google or Mozilla. So let’s remove it. Fixes #1240. This also removes sandboxing for getUserMedia() as that meant to follow the example set by fullscreen. A feature that can be allowed in nested browsing contexts, is not by default, and does not require sandboxing to be enabled for it to be allowed. Furthermore, the way allowfullscreen works in implementations is by dynamically checking the attribute. That requires moving to an “allowed to use” algorithm rather than using a fullscreen enabled flag. The fullscreen enabled flag was determined upon creation of the document and frozen afterwards. This new model allows setting the attribute at any point. (Note that this is different from how sandboxing works, which is frozen upon creation, but now they are no longer tied that matters less.) Fixes #1481. (Aside, the fullscreen enabled flag logic got broken in 688df43, but that no longer matters.) This change also aligns the recently introduced allowusermedia with that model since implementers likely want that to remain matching allowfullscreen.
|
Updated the commit message. |
|
Seems like there's confusion about the current default for Here's my <!doctype html>
<button>getUserMedia</button>
<script>
if (!navigator.getUserMedia) {
navigator.getUserMedia = navigator.mozGetUserMedia || navigator.webkitGetUserMedia;
}
document.querySelector('button').onclick = function(event) {
navigator.getUserMedia({audio:true}, function() {
event.target.textContent = 'OK';
}, function() {
event.target.textContent = 'ERROR';
});
event.target.textContent = '...';
event.target.disabled = true;
}
</script>In Chrome, embedding that in an iframe from a same-origin or cross-origin page works, AFAICT the only requirement is that it's a secure origin. In Firefox same-origin works as well, but I wasn't able to test cross-origin because my other test site was on an internal network with a magic certificate. I wasn't able to test Edge because it's running in a virtual machine with no camera or microphone. (I see no particular reason to suspect differences between same-origin or cross-origin iframes, but it was worth testing.) It doesn't seem safe to assume that making |
Again, isn't that an orthogonal issue? |
|
The refactoring into a shared algorithm only makes sense with a hoped-for end state where This change looks good and indeed necessary for Fullscreen, but it seems somewhat unlikely to me that the I will comment on #1211 and w3c/mediacapture-main#353 |
|
Looks like the original discussion was in w3c/mediacapture-main#268 |
|
Even if |
|
|
||
| <ol> | ||
| <li><p>If <var>document</var>'s <span data-x="concept-document-bc">browsing context</span> has | ||
| <em>no</em> <span>browsing context container</span>, then return true.</p></li> |
There was a problem hiding this comment.
It's somewhat common for "not" and I tend to use it myself quite a bit in other standards. I think it helps as typically there is no negation.
There was a problem hiding this comment.
Hmm, I think this also opens up a hole for something like this in any context:
var doc = document.implementation.createHTMLDocument();
doc.documentElement.requestFullscreen();Because doc doesn't have a browsing context container, I think this algorithm will return true here, and then what happens? That didn't work previously because the fullscreen enabled flag would be false in that case.
As implemented in Blink, there's an extra if (!document.frame()) return false check as the first step, but I'm not sure how to express that in the spec. Maybe this algorithm should only ever return true once the top-level browsing context is reached?
There was a problem hiding this comment.
You're right, I should check that document has a browsing context, before checking properties of that browsing context.
I don't think so. |
|
Maybe it will come to future use, maybe not, but I'm OK with a bit more generality than strictly needed. Changes LGTM % nits, and I'll have to keep an eye on w3c/mediacapture-main#268 about the future of |
|
I've posted why I don't think new things should go the fullscreen way in w3c/mediacapture-main#268 (comment). |
|
@upsuper if you think we should block this PR on whether or not @stefhak any idea when the community will figure out |
|
@annevk I don't think that needs to block this change, but that's up to you. |
|
FWIW I think we should fix both at once and keep allowusermedia until the media capture folks come to consensus on a different model. Today is still a day off for me so I'm happy to let others be the reviewers and sign-off. |
| context</span>, then return false.</p></li> | ||
|
|
||
| <li><p>If <var>document</var>'s <span data-x="concept-document-bc">browsing context</span> has | ||
| <em>no</em> <span>browsing context container</span>, then return true.</p></li> |
There was a problem hiding this comment.
These <em>no</em>s look pretty weird to me. Ctrl+Fing for "no browsing context" does not turn up any other instances.
|
Addressed feedback. |
This is clearer and is a style used elsewhere, e.g.: https://html.spec.whatwg.org/#fully-active https://html.spec.whatwg.org/#allowed-to-navigate Follow-up to #1492.
This is clearer and is a style used elsewhere, e.g.: https://html.spec.whatwg.org/#fully-active https://html.spec.whatwg.org/#allowed-to-navigate Follow-up to #1492.
This is clearer and is a style used elsewhere, e.g.: https://html.spec.whatwg.org/#fully-active https://html.spec.whatwg.org/#allowed-to-navigate Follow-up to whatwg#1492.
Fullscreen sandboxing was never implemented and it appears there are no
immediate plans for it by either Google or Mozilla. So let’s remove it.
Fixes #1240.
Furthermore, the way allowfullscreen works in implementations is by
dynamically checking the attribute. That requires moving to an “allowed
to use” algorithm rather than using a fullscreen enabled flag. (Aside,
the fullscreen enabled flag logic got broken in
688df43 but that no longer matters.)
Fixes #1481.
This change also aligns the recently introduced allowusermedia with
that model since it seems unlikely implementers want to do something
different there.