Invoke "allowed to use" always #383
Conversation
|
I'm working on fixing the same-origin discrepancy in Chrome. Sorry about that! The correct behavior is to allow usage of |
|
@rsolomakhin that does not match the behavior of |
|
@zcorpan We are trying to match the behavior of FeaturePolicy attribute |
|
@rsolomakhin OK. I think that makes sense, but if possible we should grand-father In any case, I think this PR is a step in the right direction. You suggest relaxing it further in the same-origin case. |
|
The feature policy behavior for fullscreen and paymentrequest can easily differ, if they have different default feature policies. In particular, I think the intent in feature policy is that the behavior HTML defines in "allowed to use" corresponds to a default feature policy of [] in non-toplevel browsing contexts. The behavior @rsolomakhin wants corresponds to a default whitelist of "self". Or at least that's the idea; the algorithms in the feature policy explainer don't quite do this right yet, but the intent is to be able to define both behaviors in terms of feature policy. Note that for purposes of this discussion "same-origin iframe" means "same-origin with its parent", not with toplevel. |
|
@zcorpan, we're looking at changing the behaviour of allowfullscreen and allowusermedia to match this (no attribute needed for same-origin) -- it doesn't make much sense in the same-origin case anyway, where the child could simply reach into its parent and enable any attributes it needs to access a feature, and trying to restrict it that way makes FP much more difficult to reason about. The must-be-live nature of allowfullscreen looks like it was never part of the spec, but was an implementation detail that has come to be relied on. If that can't be changed without breaking existing sites, then we might be able to special-case that attribute, but I'd rather not do that for any new features. |
|
Allowing same-origin without an |
The old text was only invoking "allowed to use" for non-top-level browsing contexts, which means the active document check is not done for the top-level document case. The old text was only invoking "allowed to use" if a document in the chain of ancestor browsing contexts were not same origin, but this does not match Chromium. Chromium will throw an exception for PaymentRequest in an iframe even if it's same origin. It also means that if everything *is* same origin, then the active document check in "allowed to use" would not be called. The use case for allowpaymentrequest must be to allow cross-origin documents in iframes to make payments. Otherwise, if everything is same-origin, the document could just construct top.PaymentRequest to bypass any checks, or set the allowpaymentrequest attribute on its frameElement. Fixes #361. The active document check in "allowed to use" was added in whatwg/html#2160.
zcorpan
force-pushed
the
zcorpan/fix-allowed-to-use-check
branch
from
85cb81c to
172cbaf
Compare
|
I rebased this now. (Not clear to me why the ipr check is still failing; AFAICT I'm in the Web Payments Working Group per https://labs.w3.org/hatchery/repo-manager/admin/user/zcorpan . Clicking "revalidate" in https://labs.w3.org/hatchery/repo-manager/pr/id/w3c/browser-payment-api/383 I get a "Forbidden" message.) |
|
Hi @zorpan, we fixed our database and the IPR conflict is (appropriately) gone. Thanks! |
The old text was only invoking "allowed to use" for non-top-level
browsing contexts, which means the active document check is not
done for the top-level document case.
The old text was only invoking "allowed to use" if a document in
the chain of ancestor browsing contexts were not same origin,
but this does not match Chromium. Chromium will throw an exception
for PaymentRequest in an iframe even if it's same origin. It also
means that if everything is same origin, then the active document
check in "allowed to use" would not be called.
The use case for allowpaymentrequest must be to allow cross-origin
documents in iframes to make payments. Otherwise, if everything is
same-origin, the document could just construct top.PaymentRequest
to bypass any checks, or set the allowpaymentrequest attribute on
its frameElement.
Fixes #361.
The active document check in "allowed to use" was added in
whatwg/html#2160.