I think the remaining question is, with the availability of the new wildcard form `allow="camera *; microphone *"` e.g. in https://jan-ivar.github.io/dummy/iframe_gum_sandbox_starcross_isolate.html, if we'd ever consider supporting `getUserMedia` in a sandboxed iframe without `allow-same-origin`. Since we're [trying to get rid of `*` in the spec](https://github.com/w3c/webappsec-feature-policy/issues/348), maybe no. The answer in bug 1371741 is no. This matches Chrome and Edge. Safari surprisingly supports it, but that doesn't seem like a good idea to me. Other developments: codepen now appears to use `allow-same-origin` (see https://codepen.io/jib1/pen/QWwBgMz?editors=1010) so I'm closing this. If anyone wants this behavior they need to open a new bug.
Bug 1367805 Comment 22 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
I think the remaining question is, with the availability of the new wildcard form `allow="camera *; microphone *"` e.g. in https://jan-ivar.github.io/dummy/iframe_gum_sandbox_starcross_isolate.html, if we'd ever consider supporting `getUserMedia` in a sandboxed iframe without `allow-same-origin`. Since we're [trying to get rid of `*` in the spec](https://github.com/w3c/webappsec-feature-policy/issues/348), maybe no. The answer in bug 1371741 is no. This matches Chrome and Edge. Safari surprisingly supports it, but that doesn't seem like a good idea to me. Other developments: codepen now appears to use `allow-same-origin` (see https://codepen.io/jib1/pen/QWwBgMz?editors=1010) so it works fine now. I'm closing this. If anyone wants this behavior they need to open a new bug.