Closed Bug 1678133 Opened 4 years ago Closed 4 years ago

FeaturePolicy: encrypted-media appears to be broken

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1575033

People

(Reporter: bryce, Unassigned)

References

Details

https://searchfox.org/mozilla-central/rev/277ab3925eae21b419167a34624ec0ab518d0c94/testing/web-platform/meta/encrypted-media/clearkey-mp4-unique-origin.https.html.ini#2 shows we're failing this + it fails in manual testing.

Edit: I'm not sure if the wpt run sets prefs appropriately . Manual STR below.

STR:

Result:
Test fails.

Notes:
Builds shortly after the landing of bug 1495359 seem to also fail. I'm not sure if I'm overlooking something, as it seems unlikely this never worked.

Didn't realize when cloning bug 1495359 that it is outside of media. Resetting triage values so this can be triaged appropriately.

Severity: S3 → --
Priority: P3 → --

So the point is that it should be disallowed by default? Chrome (Canary) at least seems to do that. Anne, Baku, do we know why restricting encrypted-media is on the experimental list (see comment 2) for us? It's also listed as "All" instead of "Self" right now.

I have to say that the test is a bit weird because it says that "Unique origin is unable to create MediaKeys" but in reality it seems blocked by FP and not by the fact that it's sandboxed.

Flags: needinfo?(annevk)
Flags: needinfo?(amarchesini)

We only shipped Permissions Policy "permissions" for things we were sure of. We had not made a call on encrypted-media either way and I don't think we filed a follow-up for it either. (See bug 1572461 for what we decided to ship initially.)

It might be reasonable to follow Chrome here. Is there UI that a child can cause to appear due to it using EME? And if yes, would that need adjusting for the fact that the parent is now in control over whether it appears?

Blocks: permissions-policy
Flags: needinfo?(annevk)
Flags: needinfo?(amarchesini)

Is this essentially bug 1575033 or should we mark that as a duplicate of this bug at this point?

Let's dupe it as that bug makes it more clear what the end goal is (restricting cross-origin iframes)

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → DUPLICATE

Wrong bug, gah

No longer blocks: permissions-policy
You need to log in before you can comment on or make changes to this bug.