Closed Bug 1450957 Opened 7 years ago Closed 7 years ago

iframes should not be allowed to request permissions

Categories

(Firefox :: Site Identity, defect)

Product:
Firefox
Component:
Site Identity
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: hanno, Unassigned)

Details

It is possible for an iframe to request permissions, e.g. notification/camera etc. via javascript. This creates a situation where users may get a very confusing UI. Let's assume a page lets content providers control the content of an iframe. In this case one can open a permission request, however it will appear for the user within the page he's visiting. While the domain name the request is originating from is shown, it's plausible that users won't notice that. Chrome is blocking such permission requests (but only in relatively recent versions): https://dev.chromium.org/Home/chromium-security/deprecating-permissions-in-cross-origin-iframes Here's a demo on twitter: https://twitter.com/xsamaster/status/980448101268942848 A user may find it perfectly normal and acceptable that twitter requests a notification permission, but may not realize he's just giving a third party this permission.
I generally agree that the way Chrome enables websites to delegate their permissions via Feature-Policy is a good idea. However, we don't have FP implemented at this point and entirely severing permission requests from third parties is not an option due to web compat (https://mzl.la/2q19jn1). We are showing the origin of the requestor in the permission prompt and I'm working on a way to surface frame permissions better in the control center in bug 1224453. We're not aware of instances of this being massively abused (and in general this is also a problem with first parties trusting the third parties they embed). In the mid or long term we might want to switch to the model Chrome uses, but I don't think it makes sense to have this bug stick around until then. It's not actionable right now.
Group: firefox-core-security
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WONTFIX
I think after Bug 1483631 is completed; we would revisit this to deprecate the bad behavior and route web developers to Feature Policy like Chrome.
Depends on: 1483631

This is the plan now, see bug 1572461. I suggest we leave this bug closed and no longer track it as it's become redundant. Appreciate the push in the right direction though!

No longer depends on: 1483631
You need to log in before you can comment on or make changes to this bug.