FeaturePolicy: display-capture
Categories
(Core :: DOM: Security, defect, P2)
Tracking
()
| Tracking | Status | |
|---|---|---|
| thunderbird_esr60 | --- | unaffected |
| firefox-esr60 | --- | unaffected |
| firefox65 | --- | unaffected |
| firefox66 | --- | wontfix |
| firefox67 | --- | fixed |
People
(Reporter: jib, Assigned: jib)
References
Details
(Keywords: dev-doc-complete, Whiteboard: [domsecurity-active][wptsync upstream])
Attachments
(2 files)
FeaturePolicy support for display-capture.
A bit of urgency: getDisplayMedia landed in 66 (bug 1321221) enabled even in cross-origin iframes; didn't matter in Nightly, but in Beta where dom.security.featurePolicy.enabled is false, it's not great.
|
Assignee | |
Comment 1•5 years ago
|
||
|
||
Updated•5 years ago
|
|
|
Assignee | |
Comment 2•5 years ago
|
||
[Tracking Requested - why for this release]: see comment 0.
|
||
Updated•5 years ago
|
|
||
Updated•5 years ago
|
|
|
Assignee | |
Comment 3•5 years ago
|
||
|
|
Assignee | |
Comment 4•5 years ago
|
||
I've convinced myself that disallowing getDisplayMedia in cross-origin iframes is premature without feature policy enabled.
Even though this is technically a new API, the same functionality is already available through
navigator.mediaDevices.getUserMedia({video: {mediaSource: "screen"}});
...and this patch would disable both in cross-origin iframes, without a workaround until dom.security.featurePolicy.enabled rides the (maybe 68) train. I worry this might break some actual sites.
I considered only disabling the new API, but that might hurt convergence around the new API.
Instead, I'm going to push patches to simply enable "display-capture" feature policy, already reviewed.
|
||
Updated•5 years ago
|
Pushed by jbruaroey@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/9439612a6ff9 FeaturePolicy: display-capture. r=baku https://hg.mozilla.org/integration/autoland/rev/0782920301f9 Add screen-capture/feature-policy.https.html wpt test. r=baku
|
||
Comment 6•5 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/9439612a6ff9
https://hg.mozilla.org/mozilla-central/rev/0782920301f9
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/15373 for changes under testing/web-platform/tests
|
||
Comment 8•5 years ago
|
||
Note to MDN writers:
This is still behind a flag, so no note on the 67 rel notes.
But we should add this to the Feature-Policy page, annd update the BCD.
|
||
Comment 9•5 years ago
|
||
- Added reference page for Feature-Policy: display-capture
- Submitted BCD PR 4109 to add
display-captureto feature policy - Improvements and example added to getDisplayMedia() page
- Improvements to Using the Screen Capture API
- Expanded information provided in the main [Screen Capture API](https://developer.mozilla.org/en-US/docs/Web/API/Screen_Capture_API
This should be done now, assuming the PR goes through and doesn't need revisions.
Description
•