FeaturePolicy: encrypted-media appears to be broken
Categories
(Core :: DOM: Security, defect)
Tracking
()
People
(Reporter: bryce, Unassigned)
References
Details
https://searchfox.org/mozilla-central/rev/277ab3925eae21b419167a34624ec0ab518d0c94/testing/web-platform/meta/encrypted-media/clearkey-mp4-unique-origin.https.html.ini#2 shows we're failing this + it fails in manual testing.
Edit: I'm not sure if the wpt run sets prefs appropriately . Manual STR below.
STR:
- Ensure
dom.security.featurePolicy*
prefs are true. - Navigate to https://wpt.live/encrypted-media/clearkey-mp4-unique-origin.https.html
Result:
Test fails.
Notes:
Builds shortly after the landing of bug 1495359 seem to also fail. I'm not sure if I'm overlooking something, as it seems unlikely this never worked.
Reporter | ||
Comment 1•4 years ago
•
|
||
Didn't realize when cloning bug 1495359 that it is outside of media. Resetting triage values so this can be triaged appropriately.
Comment 2•4 years ago
|
||
Comment 3•4 years ago
|
||
So the point is that it should be disallowed by default? Chrome (Canary) at least seems to do that. Anne, Baku, do we know why restricting encrypted-media is on the experimental list (see comment 2) for us? It's also listed as "All" instead of "Self" right now.
I have to say that the test is a bit weird because it says that "Unique origin is unable to create MediaKeys" but in reality it seems blocked by FP and not by the fact that it's sandboxed.
Comment 4•4 years ago
|
||
We only shipped Permissions Policy "permissions" for things we were sure of. We had not made a call on encrypted-media
either way and I don't think we filed a follow-up for it either. (See bug 1572461 for what we decided to ship initially.)
It might be reasonable to follow Chrome here. Is there UI that a child can cause to appear due to it using EME? And if yes, would that need adjusting for the fact that the parent is now in control over whether it appears?
Comment 5•4 years ago
|
||
Is this essentially bug 1575033 or should we mark that as a duplicate of this bug at this point?
Comment 6•4 years ago
|
||
Let's dupe it as that bug makes it more clear what the end goal is (restricting cross-origin iframes)
Comment 7•4 years ago
|
||
Wrong bug, gah
Updated•4 years ago
|
Description
•