Implement and ship Permissions-Policy header
Categories
(Core :: DOM: Core & HTML, defect, P3)
Tracking
()
People
(Reporter: github, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: dev-doc-needed)
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0
Steps to reproduce:
I made test page with the following content:
<!DOCTYPE html>
<html lang="de">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Titel</title>
</head>
<body>
<script type="text/javascript">
function checkMicrophone() { navigator.mediaDevices.getUserMedia({ audio: true, video: false})
.then(function(stream) {console.log("Microphone access was allowed.");})
.catch(function(error) {console.log("Microphone access not allowed.", error);});
}
</script>
<button type="button" onclick="checkMicrophone">Check microphone</button>
<p>Look at the webdev console after clicking</p>
</body>
</html>
I made sure, that upon delivering that page the webserver sent the header Feature-Policy: microphone 'none';
I hosted the page at https://fibsifan.uber.space/feature-policy.html for your convenience.
I loaded the page in firefox and clicked the button.
Actual results:
Firefox asked for permission to access the computers microphone.
After deciding upon that the microphone access the js-console logged the corresponding message (see above)
Expected results:
I would have expected the browser to deny the microphone request outright, since the webserver signalled upfront that the page wouldn't need the microphone permission.
The MDN lists that feature-policy to be supported without an about:config toggle since Firefox 74 if I understand that correctly: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy
Comment 1•3 years ago
|
||
Firefox doesn't support the Feature-Policy Header: bug 1627890.
Updated•3 years ago
|
Comment 2•3 years ago
|
||
We don't plan on supporting Feature-Policy
as it got renamed, but we do plan to (eventually) support the Permissions-Policy
header. Note that it uses structured fields so the syntax is slightly different: https://w3c.github.io/webappsec-permissions-policy/#permissions-policy-http-header-field.
Updated•3 years ago
|
Updated•3 years ago
|
Updated•3 years ago
|
Description
•