1579373 - Disabling geolocation permissions by default in cross-origin iframes

Status: RESOLVED FIXED

(Core :: DOM: Geolocation, enhancement)

Description

[Thomas Nguyen (:tnguyen)]

The new model relationship between Feature policy and permission depends on disabling permissions by default in cross-origin iframes. That change will require websites to explicitly allow permissions for cross-origin iframes, otherwise those iframes will have permission requests denied
I am going to fix Geolocation permission denied by default here.

Comment 1

[Thomas Nguyen (:tnguyen)]

Attachment: Bug 1579373 - Disabled geolocation permission for crossorigin iframe by default and add tests

Comment 2

[Pulsebot]

Pushed by tnguyen@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/a396b80f331f
Disabled geolocation permission for crossorigin iframe by default and add tests r=baku

Comment 3

[Raul Gurzau (:RaulG)]

https://hg.mozilla.org/mozilla-central/rev/a396b80f331f

Comment 4

[Neha Kochar [:neha]]

:tnguyen, this test is failing when fission is enabled (bug 1580074). Could you please look into this so we can enable it for Fission?

Comment 5

[Thomas Nguyen (:tnguyen)]

I still don't know the reason why Feature Policy does not work in a new process of cross origin iframe, but I will take a look. I file a bug for that, bug 1580462

Comment 6

[Szmozsánszky István [:flaki]]

This bug was discussed today at TPAC 2019 at the Devices & Sensors WG, tracking issue: https://github.com/w3c/geolocation-api/issues/10