Open Bug 1694922 Opened 3 years ago Updated 3 years ago

Implement and ship Permissions-Policy header

Categories

(Core :: DOM: Core & HTML, defect, P3)

Product:
Core
Component:
DOM: Core & HTML
Version:
Firefox 86
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: github, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: dev-doc-needed)

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0

Steps to reproduce:

I made test page with the following content:

<!DOCTYPE html>
<html lang="de">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Titel</title>
</head>
<body>
<script type="text/javascript">
function checkMicrophone() { navigator.mediaDevices.getUserMedia({ audio: true, video: false})
.then(function(stream) {console.log("Microphone access was allowed.");})
.catch(function(error) {console.log("Microphone access not allowed.", error);});
}
</script>
<button type="button" onclick="checkMicrophone">Check microphone</button>
<p>Look at the webdev console after clicking</p>
</body>
</html>

I made sure, that upon delivering that page the webserver sent the header Feature-Policy: microphone 'none';

I hosted the page at https://fibsifan.uber.space/feature-policy.html for your convenience.

I loaded the page in firefox and clicked the button.

Actual results:

Firefox asked for permission to access the computers microphone.

After deciding upon that the microphone access the js-console logged the corresponding message (see above)

Expected results:

I would have expected the browser to deny the microphone request outright, since the webserver signalled upfront that the page wouldn't need the microphone permission.

The MDN lists that feature-policy to be supported without an about:config toggle since Firefox 74 if I understand that correctly: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy

Firefox doesn't support the Feature-Policy Header: bug 1627890.

Component: Untriaged → DOM: Security
Product: Firefox → Core
See Also: → 1627890

We don't plan on supporting Feature-Policy as it got renamed, but we do plan to (eventually) support the Permissions-Policy header. Note that it uses structured fields so the syntax is slightly different: https://w3c.github.io/webappsec-permissions-policy/#permissions-policy-http-header-field.

Keywords: dev-doc-needed
Summary: Feature-Policy: microphone 'none' not handled as expected → Implement and ship Permissions-Policy header
Component: DOM: Security → DOM: Core & HTML
Severity: -- → S3
Priority: -- → P3
You need to log in before you can comment on or make changes to this bug.