Notification.permission always returning "denied" when triggered from different origin iframe
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
People
(Reporter: alby90, Unassigned)
References
(Regression)
Details
(Keywords: regression)
Attachments
(2 files)
Steps to reproduce:
Try to trigger a push notification (HTML5 notification) from a iframe. Both top frame and iframe have allowed notifications (also visible in Settings - Notification Permission).
Reproduce issue:
- Open https://codepen.io/deky/pen/MeRogB
- Allow notifications for the top frame (codepen.io)
- Allow notifications for https://cdpn.io (domain where the code with the notification button is loaded) -> to do that, open https://cdpn.io/nonexistingpath, which opens a 404, use this page to enter its info window -see screenshot- and allow notifications).
- Click on "Push Notification" button, this should trigger an HTML5 notification.
In Firefox this doesn't work. Reproducing these steps in Chrome, the notification is triggered.
Firefox version used: 108.2.
Actual results:
"Notification.permission" is checked from inside the iframe (cdpn.io) and it always returns "denied", blocking the notification to be triggered.
Expected results:
According to the changes explained in https://developer.mozilla.org/en-US/docs/Web/API/Notification "Chrome and Firefox no longer allow notification permissions to be requested from cross-origin <iframe>s" we understand that the permissions cannot be requested anymore from a cross-origin iframes, but should still be allowed to be checked (as it is currently working in Chrome).
Comment 2•2 years ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::DOM: Core & HTML' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
Comment 3•2 years ago
|
||
Edgar, it seem you made this change in bug 1708354?
Updated•2 years ago
|
Comment 4•2 years ago
|
||
:edgar, since you are the author of the regressor, bug 1708354, could you take a look?
For more information, please visit auto_nag documentation.
Comment 5•2 years ago
|
||
It is intentionally, we don't allow third-party iframe could send notification even if it has permission, because user isn't visiting it directly, and this also behave more consistent. Related spec discussion is in https://github.com/whatwg/notifications/issues/177.
Hi all :edgar, :peterv,
thank you for checking the issue and providing an answer.
As described in the official docs (https://developer.mozilla.org/en-US/docs/Web/API/Notifications_API/Using_the_Notifications_API), it is specified that permissions (by calling Notification.requestPermission()) cannot be requested from a cross-origin iframe:
"In Chrome and Firefox you cannot request notifications at all unless the site is a secure context (i.e. HTTPS), and you can no longer allow notification permissions to be requested from cross-origin <iframe>s."
but, still according to docs, Notification.permission should still be allowed to be used.
If third-party iframes can not send notifications even if they have permissions (which is different than Chrome's behaviour), as you stated above, we need an official statement (i.e. something in the docs) which would allow us to define this as a limitation.
Thank you for your help,
Alberto
Comment 7•2 years ago
|
||
Dear reporter, thank you for the report! We've requested "dev-doc-needed" on bug 1708354 to describe the intended behavior.
I am going to close this as INVALID as Comment 5 suggests this report actually behaves as expected. Thank you.
Description
•