Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Should top-level transient activation be sufficient for getDisplayMedia() on cross-origin iframes with allow="display-capture"? #11

Open
karlt opened this issue Apr 15, 2021 · 13 comments
Labels
enhancement New feature or request

Comments

@karlt
Copy link

karlt commented Apr 15, 2021

This came up when we added the transient activation requirement to Gecko. The data flow affected was "click handler in main document" -> iframe.contentWindow.postMessage() -> "getDisplayMedia() inside iframe". The gesture in the top-level Document does not affect cross-origin descendant Documents.

I assume the purpose of the transient activation test is to require a user gesture and the precise location of the user gesture is not important?
If so, then checking for transient activation on the top-level Window instead of on the relevant global object is an option to allow this use case.

Would any host Document want to grant a cross-origin iframe "display-capture" permission but restrict its getDisplayMedia() calls to a user gesture specifically on the iframe?

@annevk
Copy link
Member

annevk commented Apr 15, 2021

See also whatwg/html#5129.

cc @mustaqahmed @domenic

@jan-ivar
Copy link
Member

@annevk thanks, but did you mean to link to this one as well? whatwg/html#4364

Would any host Document want to grant a cross-origin iframe "display-capture" permission but restrict its getDisplayMedia() calls to a user gesture specifically on the iframe?

@karlt I can't think of any case like that.

then checking for transient activation on the top-level Window instead of on the relevant global object is an option to allow this use case.

I think that'd work in our case since getDisplayMedia is the lone feature enabled by "display-capture".

Though now I'm curious, can an iframe doc get transient activation without its top-level doc also getting it?

@karlt
Copy link
Author

karlt commented Apr 15, 2021

Though now I'm curious, can an iframe doc get transient activation without its top-level doc also getting it?

No, a user interaction in an iframe causes active Windows of all, even cross-origin, ancestor browsing contexts to have their timestamp updated, so all ancestor Windows (including the top-level) always get transient activation when the iframe gets it.

@youennf
Copy link

youennf commented Apr 16, 2021

Would any host Document want to grant a cross-origin iframe "display-capture" permission but restrict its getDisplayMedia() calls to a user gesture specifically on the iframe?

I cannot think of a case like that.
But I can see top level frames not wanting that any random click can be used by third-party iframes, even though they have "display-capture" permission.
My understanding here is that the postMessage from top level frame to third-party iframe is triggering the "transient activation" delegation.
Is that correct?

@annevk
Copy link
Member

annevk commented Apr 16, 2021

"Transient activation" isn't tracked through postMessage() at the moment. There's a proposal in whatwg/html#4364 but that went dormant. That also wouldn't solve any existing scenarios as code would have to be updated to make use of it.

cc @dtapuska

@youennf
Copy link

youennf commented Apr 16, 2021

For "existing code", quirks can be used as a short term mitigation.
I hope we can come up with some consensus for third-party iframe mitigations.
FWIW, Safari is shipping strict activation rules for getDisplayMedia.

@karlt
Copy link
Author

karlt commented Apr 16, 2021

My understanding here is that the postMessage from top level frame to third-party iframe is triggering the "transient activation" delegation.

The proposal here is not to pass the transient activation to a cross-origin frame by postMessage(). i.e. it is not to provide cross-origin transient activation for general usage. I guess you could view the postMessage() as informing the third-party frame that the top-level has transient activation, in much the same way as a user-gesture handler might inform a Promise microtask.

@mustaqahmed
Copy link
Member

mustaqahmed commented Apr 16, 2021

Let me clarify last few posts here, we are linking two different proposals here:

For the media-capture question raised in this issue, I think the answer depends on what allow="display-capture" really means. Does it expect the subframe to rely on its own user activation for a media-capture call or no? An "yes" seems to be the safest answer to me because, for example, I don't ever want a random ad subframe in a site to perform screen-capture without a click in that frame.

Edit: fixed the Capability Delegation design doc link.

@annevk
Copy link
Member

annevk commented Apr 16, 2021

@mustaqahmed if you could note that in that issue (including a link to the TAG review) that would be appreciated.

I cannot open the Capability Delegation document. It would be helpful to understand how it differs from the postMessage() approach which also seems to be about delegating the capability...

@youennf
Copy link

youennf commented Apr 16, 2021

Can you make that document publicly available.

An "yes" seems to be the safest answer to me

That seems like a good default to me in general.

@mustaqahmed
Copy link
Member

mustaqahmed commented Apr 16, 2021

Sorry I pasted a wrong link there! The fixed link is here (also fixed above).

@mustaqahmed
Copy link
Member

@annevk Let's discuss the new proposal through WICG/capability-delegation. I will close the HTML issue and other (quite a few) untied knots around the old proposal soon.

@annevk
Copy link
Member

annevk commented Apr 16, 2021

Ah okay, so the problem with delegating user activation is that it's too generic. You want to delegate user activation but scoped to a particular API. I like that.

moz-v2v-gh referenced this issue in mozilla/gecko-dev Aug 25, 2021
…r getDisplayMedia() r=jib

Backed out changeset 7a50bf09d726

There was no known value in relaxing the activation constraint because it
didn't resolve the use case that was thought to have regressed, but apparently
didn't.  https://bugzilla.mozilla.org/show_bug.cgi?id=1704278#c24

This restores specified behavior, which is similar to Safari.
https://github.com/w3c/mediacapture-screen-share/issues/167#issuecomment-821068685

Differential Revision: https://phabricator.services.mozilla.com/D122192
jamienicol referenced this issue in jamienicol/gecko Aug 31, 2021
…r getDisplayMedia() r=jib

Backed out changeset 7a50bf09d726

There was no known value in relaxing the activation constraint because it
didn't resolve the use case that was thought to have regressed, but apparently
didn't.  https://bugzilla.mozilla.org/show_bug.cgi?id=1704278#c24

This restores specified behavior, which is similar to Safari.
https://github.com/w3c/mediacapture-screen-share/issues/167#issuecomment-821068685

Differential Revision: https://phabricator.services.mozilla.com/D122192
@dontcallmedom dontcallmedom added the enhancement New feature or request label Nov 30, 2021
@dontcallmedom dontcallmedom transferred this issue from w3c/mediacapture-screen-share Feb 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

6 participants