Open Bug 1299577 Opened 8 years ago Updated 2 years ago

Double-key origin for getUserMedia in iframes.

Categories

(Firefox :: Site Permissions, defect, P2)

Product:
Firefox
Component:
Site Permissions
Type:
defect

Tracking

()

People

(Reporter: jib, Unassigned)

References

(Blocks 1 open bug)

Details

The spec [1] was updated with the following language a while ago wrt iframes:

  4. Let originIdentifier be the [HTML51] top-level browsing context's origin.

  5. If the current [HTML51] browsing context is a [HTML51] nested browsing context whose origin is
     different from originIdentifier, let originIdentifier be the result of combining originIdentifier
     and the current browsing context's origin.

  6. For the origin identified by originIdentifier, request permission for use of the devices, ...

We should comply.

Permission prompts for gUM in different-origin iframes should mention the top-level site as well, something like:

  "Would you like to share your camera and microphone with both jsfiddle.net and fiddle.jshell.net?"

[1] https://w3c.github.io/mediacapture-main/getusermedia.html#dom-mediadevices-getusermedia
Rank: 25
Priority: -- → P2
I see you filed this in core, but when reading the bug description it seems to require only front-end changes. Are there core changes needed here?
Perhaps not! Let me know if that changes. Does that mean we need a separate but for android?
Component: WebRTC: Audio/Video → Device Permissions
Product: Core → Firefox
s/but/bug/ (darn auto-complete)
(In reply to Jan-Ivar Bruaroey [:jib] from comment #2)
> Perhaps not! Let me know if that changes. Does that mean we need a separate
> bug for android?

I think so, yes.
(In reply to Jan-Ivar Bruaroey [:jib] from comment #0)

> Permission prompts for gUM in different-origin iframes should mention the
> top-level site as well, something like:
> 
>   "Would you like to share your camera and microphone with both jsfiddle.net
> and fiddle.jshell.net?"

Aislinn, do you have thoughts on this? How do you feel about the proposed wording here?
Flags: needinfo?(agrigas)
This is the phrasing we use for camera:
"Would you like to allow [domain name] to use your video camera?
X Remember this decision
[Don’t allow] [Allow video camera]"

We should keep this formatting as much as we can so I would suggest:
"Would you like to allow both [domain name 1] and [domain name 2] to use your camera and microphone?"
Flags: needinfo?(agrigas)
See Also: → 1330559
This looks like it's going to be permission-based, which means OriginAttributes will automatically be respected (insofar as we know we allow permissions across OA), but I just wanted to tag it for tracking.
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.