Closed Bug 1523958 Opened 6 years ago Closed 6 years ago

FeaturePolicy: display-capture

Categories

(Core :: DOM: Security, defect, P2)

Product:
Core
Component:
DOM: Security
Version:
66 Branch
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla67
Tracking Flags:
Tracking Status
thunderbird_esr60 --- unaffected
firefox-esr60 --- unaffected
firefox65 --- unaffected
firefox66 --- wontfix
firefox67 --- fixed

People

(Reporter: jib, Assigned: jib)

References

Details

(Keywords: dev-doc-complete, Whiteboard: [domsecurity-active][wptsync upstream])

Attachments

(2 files)

Bug 1523958 - FeaturePolicy: display-capture.
47 bytes, text/x-phabricator-request
Details | Review
Bug 1523958 - Add screen-capture/feature-policy.https.html wpt test.
47 bytes, text/x-phabricator-request
Details | Review

FeaturePolicy support for display-capture.

A bit of urgency: getDisplayMedia landed in 66 (bug 1321221) enabled even in cross-origin iframes; didn't matter in Nightly, but in Beta where dom.security.featurePolicy.enabled is false, it's not great.

Status: NEW → ASSIGNED
Whiteboard: [domsecurity-active]

I've convinced myself that disallowing getDisplayMedia in cross-origin iframes is premature without feature policy enabled.

Even though this is technically a new API, the same functionality is already available through

navigator.mediaDevices.getUserMedia({video: {mediaSource: "screen"}});

...and this patch would disable both in cross-origin iframes, without a workaround until dom.security.featurePolicy.enabled rides the (maybe 68) train. I worry this might break some actual sites.

I considered only disabling the new API, but that might hurt convergence around the new API.

Instead, I'm going to push patches to simply enable "display-capture" feature policy, already reviewed.

status-firefox66: affectedwontfix
tracking-firefox66: + → ---
Summary: FeaturePolicy: display-capture (and disallow getDisplayMedia in cross-origin iframe otherwise) → FeaturePolicy: display-capture
Attachment #9040123 - Attachment description: Bug 1523958 - FeaturePolicy: display-capture (and disallow getDisplayMedia in cross-origin iframe otherwise). → Bug 1523958 - FeaturePolicy: display-capture.
Pushed by jbruaroey@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/9439612a6ff9 FeaturePolicy: display-capture. r=baku https://hg.mozilla.org/integration/autoland/rev/0782920301f9 Add screen-capture/feature-policy.https.html wpt test. r=baku

https://hg.mozilla.org/mozilla-central/rev/9439612a6ff9
https://hg.mozilla.org/mozilla-central/rev/0782920301f9

Status: ASSIGNED → RESOLVED
Closed: 6 years ago
status-firefox67: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla67
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/15373 for changes under testing/web-platform/tests
Whiteboard: [domsecurity-active] → [domsecurity-active][wptsync upstream]

Note to MDN writers:

This is still behind a flag, so no note on the 67 rel notes.

But we should add this to the Feature-Policy page, annd update the BCD.

This should be done now, assuming the PR goes through and doesn't need revisions.

Keywords: dev-doc-neededdev-doc-complete
See Also: → 1597285
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: