-
Notifications
You must be signed in to change notification settings - Fork 32
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add integration with Permissions Policy #64
Comments
Given both Safari and Firefox seem to restricted these events to top-level document and same-origin frames they'd comply with the default Feature Policy behavior of default allowlist set to ["self"]. Correct? If that's the case, this seems like an obvious addition to the spec. I suspect it was not added to the spec in tandem with the Chrome implementation work due to the unfortunate fact this spec was unmaintained at that time. |
Discussed at TPAC 2019 F2F. Resolved to implement this issue. |
Note that Feature Policy has been renamed: w3c/webappsec-permissions-policy#379 |
For the record: both Blink and WebKit already integrate this API with the Permissions Policy spec, but Gecko does not. When it comes to permissions policy tokens:
|
The additional "magnetometer" requirement for ondeviceorientation on WebKit seems to come from the non-standard version of the Device Orientation API shipped on iOS and its compass-related attributes: [ImplementedAs=compassHeading] readonly attribute unrestricted double? webkitCompassHeading;
[ImplementedAs=compassAccuracy] readonly attribute unrestricted double? webkitCompassAccuracy;
undefined initDeviceOrientationEvent(optional [AtomString] DOMString type = "",
optional boolean bubbles = false,
optional boolean cancelable = false,
optional unrestricted double? alpha = null,
optional unrestricted double? beta = null,
optional unrestricted double? gamma = null,
optional unrestricted double? compassHeading = null,
optional unrestricted double? compassAccuracy = null); (see also: Apple's DeviceOrientationEvent documentation) The non-iOS version of the Web IDL excerpt above allows creating a synthetic DeviceOrientation event with readonly attribute boolean? absolute;
undefined initDeviceOrientationEvent(optional [AtomString] DOMString type = "",
optional boolean bubbles = false,
optional boolean cancelable = false,
optional unrestricted double? alpha = null,
optional unrestricted double? beta = null,
optional unrestricted double? gamma = null,
optional boolean? absolute = null); but the ondeviceorientationabsolute event itself (which would require magnetometer access) is not supported. My proposal is to standardize Blink's behavior (i.e. require "accelerometer"+"gyroscope" for ondevicemotion and ondeviceorientation, and "accelerometer"+"gyroscope"+"magnetometer" for ondeviceorientationabsolute) instead. |
The current text in the spec does give some leeway to implementations to use a magnetometer for ondeviceorientation:
The Gecko implementation seems to do this on e.g. Android:
In order for the spec to be airtight, we'd need to either require "magnetometer" or stop allowing implementations to fall back to absolute orientation. |
Could the we specify that implementations may only fall back to absolute orientation if the document has "magnetometer" permission? |
I think that could work, even though it doesn't match the behavior of any of the implementations 😄 I'll work on a draft patch. |
Ah, good point, I was only looking at the Blink-side checks but forgot that there are content-side checks as well. |
This substantive change makes the firing of the events defined in this specification dependent on a few different policy-controlled features: "accelerometer", "gyroscope", and "magnetometer. Both Blink and WebKit already integrate their implementations with the Permissions Policy spec and use the same tokens, although a bit differently: - Both require "accelerometer" and "gyroscope" for the devicemotion event. - Blink requires "accelerometer" and "gyroscope" to provide relative orientation data for the deviceorientation event, and additionally the "magnetometer" feature to fall back to absolute orientation data. WebKit always requires the three tokens for the deviceorientation event. - Blink requires "accelerometer", "gyroscope", and "magnetometer" for the deviceorientationabsolute event, whereas WebKit does not implement this event. We have opted to codify Blink's behavior in the specification, as since relative orientation data does not require a magnetometer sensor, the event should not require the corresponding token either. Fixes #64.
This substantive change makes the firing of the events defined in this specification dependent on a few different policy-controlled features: "accelerometer", "gyroscope", and "magnetometer. Both Blink and WebKit already integrate their implementations with the Permissions Policy spec and use the same tokens, although a bit differently: - Both require "accelerometer" and "gyroscope" for the devicemotion event. - Blink requires "accelerometer" and "gyroscope" to provide relative orientation data for the deviceorientation event, and additionally the "magnetometer" feature to fall back to absolute orientation data. WebKit always requires the three tokens for the deviceorientation event. - Blink requires "accelerometer", "gyroscope", and "magnetometer" for the deviceorientationabsolute event, whereas WebKit does not implement this event. We have opted to codify Blink's behavior in the specification, as since relative orientation data does not require a magnetometer sensor, the event should not require the corresponding token either. Fixes #64.
This substantive change makes the firing of the events defined in this specification dependent on a few different policy-controlled features: "accelerometer", "gyroscope", and "magnetometer. Both Blink and WebKit already integrate their implementations with the Permissions Policy spec and use the same tokens, although a bit differently: - Both require "accelerometer" and "gyroscope" for the devicemotion event. - Blink requires "accelerometer" and "gyroscope" to provide relative orientation data for the deviceorientation event, and additionally the "magnetometer" feature to fall back to absolute orientation data. WebKit always requires the three tokens for the deviceorientation event. - Blink requires "accelerometer", "gyroscope", and "magnetometer" for the deviceorientationabsolute event, whereas WebKit does not implement this event. We have opted to codify Blink's behavior in the specification, as since relative orientation data does not require a magnetometer sensor, the event should not require the corresponding token either. Fixes #64.
This has already been implemented in Chrome (issue 796894) based on the Feature Policy specification however this should be mentioned directly in this specification.
The text was updated successfully, but these errors were encountered: