Disallow notification permission requests from cross-origin iframes
Categories
(Core :: DOM: Push Subscriptions, enhancement, P2)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox70 | --- | fixed |
People
(Reporter: johannh, Assigned: ehsan.akhgari)
References
Details
(Keywords: dev-doc-complete, site-compat)
Attachments
(2 files)
|
47 bytes,
text/x-phabricator-request
|
Details | Review | |
|
Bug 1560741 - Part 2: Remove the now unneeded PERMISSION_REQUEST_THIRD_PARTY_ORIGIN telemetry probe;
47 bytes,
text/x-phabricator-request
|
Details | Review |
To enable consistent treatment of permission requests in iframes with feature policy, we will deny requests for notification permission in cross-origin iframes.
Chrome announced the same change over 2 years ago, though strangely in my Canary they are still showing the deprecation notice.
Our Telemetry shows that usage is very low at 0.03%, so we should have little to no issues with breakage.
|
||
Updated•5 years ago
|
|
||
Comment 1•5 years ago
|
||
I am relatively confident we decided to do this without the option for the embedder to delegate the notification permission (i.e., without "Feature Policy") as it seems extremely unlikely that embedder A would want to allow embeddee B to create notifications attributed to A. (And if they were attributed to B it would violate the UX simplifications goal as we'd show B to the user whereas the goal is to almost exclusively show A.) If A wants B to create notifications attributed to A it can still do so via a custom postMessage() API.
|
Assignee | |
Comment 2•5 years ago
|
||
|
|
Assignee | |
Comment 3•5 years ago
|
||
|
|
||
Updated•5 years ago
|
|
||
Updated•5 years ago
|
Pushed by eakhgari@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/9dc1d39d2786 Part 1: Disallow notification permission requests from cross-origin iframes; r=johannh https://hg.mozilla.org/integration/autoland/rev/c08aa2078829 Part 2: Remove the now unneeded PERMISSION_REQUEST_THIRD_PARTY_ORIGIN telemetry probe; r=johannh
|
||
Comment 5•5 years ago
|
||
Backed out 2 changesets (Bug 1560741) for mochitest failures at test_permission_isHandlingUserInput.xul.
Backout: https://hg.mozilla.org/integration/autoland/rev/46b45c5243e972afb0ed9fb47b9d512bacc6cc06
Push that started the failures: https://treeherder.mozilla.org/#/jobs?repo=autoland&resultStatus=success%2Ctestfailed%2Cbusted%2Cexception&revision=c08aa2078829f2826a58a34ea60b7bca23008bd7&selectedJob=261183008
Failure log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=261183008&repo=autoland&lineNumber=49993
|
|
Assignee | |
Updated•5 years ago
|
Pushed by eakhgari@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/b7c91018f87e Part 1: Disallow notification permission requests from cross-origin iframes; r=johannh https://hg.mozilla.org/integration/autoland/rev/efe5dc48aa87 Part 2: Remove the now unneeded PERMISSION_REQUEST_THIRD_PARTY_ORIGIN telemetry probe; r=johannh
|
||
Comment 7•5 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/b7c91018f87e
https://hg.mozilla.org/mozilla-central/rev/efe5dc48aa87
|
|
||
Comment 8•5 years ago
|
||
Posted site compatibility note: https://www.fxsitecompat.dev/en-CA/docs/2019/notification-permission-requests-from-cross-origin-iframe-are-now-disallowed/
|
|
||
Comment 9•4 years ago
|
||
I've documented this behavior on MDN; see https://github.com/mdn/sprints/issues/2464#issuecomment-564668240 for the full details.
Let me know if you've like to see any further updates; thanks!
Description
•