Closed Bug 1560741 Opened 2 months ago Closed 12 days ago

Disallow notification permission requests from cross-origin iframes

Categories

(Core :: DOM: Push Notifications, enhancement, P2)

enhancement

Tracking

()

RESOLVED FIXED
mozilla70
Tracking Status
firefox70 --- fixed

People

(Reporter: johannh, Assigned: ehsan)

References

(Blocks 3 open bugs)

Details

(Keywords: dev-doc-needed, site-compat)

Attachments

(2 files)

To enable consistent treatment of permission requests in iframes with feature policy, we will deny requests for notification permission in cross-origin iframes.

Chrome announced the same change over 2 years ago, though strangely in my Canary they are still showing the deprecation notice.

Our Telemetry shows that usage is very low at 0.03%, so we should have little to no issues with breakage.

I am relatively confident we decided to do this without the option for the embedder to delegate the notification permission (i.e., without "Feature Policy") as it seems extremely unlikely that embedder A would want to allow embeddee B to create notifications attributed to A. (And if they were attributed to B it would violate the UX simplifications goal as we'd show B to the user whereas the goal is to almost exclusively show A.) If A wants B to create notifications attributed to A it can still do so via a custom postMessage() API.

No longer blocks: feature-policy
Assignee: nobody → ehsan
Blocks: 1572461
Blocks: 1375683
Pushed by eakhgari@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/9dc1d39d2786
Part 1: Disallow notification permission requests from cross-origin iframes; r=johannh
https://hg.mozilla.org/integration/autoland/rev/c08aa2078829
Part 2: Remove the now unneeded PERMISSION_REQUEST_THIRD_PARTY_ORIGIN telemetry probe; r=johannh
Flags: needinfo?(ehsan)
Pushed by eakhgari@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/b7c91018f87e
Part 1: Disallow notification permission requests from cross-origin iframes; r=johannh
https://hg.mozilla.org/integration/autoland/rev/efe5dc48aa87
Part 2: Remove the now unneeded PERMISSION_REQUEST_THIRD_PARTY_ORIGIN telemetry probe; r=johannh
Status: NEW → RESOLVED
Closed: 12 days ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla70
See Also: → 1573513
Regressions: 1573513
Depends on: 1574019
You need to log in before you can comment on or make changes to this bug.