New issue
Advanced search Search tips
Starred by 4 users
Status: Fixed
Closed: Apr 2015
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug

issue 163795

Sign in to add a comment
Web MIDI API: reject sysex permission on http
Project Member Reported by, Mar 24 2015 Back to list
For security reason, we decided to reject all permission request from HTTP.
Permission UI will appear only for HTTPS.

extensions:// scheme for Chrome Apps should be handled separately.
Blocking: chromium:163795
Status: Started
The first change fix the logic for UI prompting.

Note from the review comment that I will handle in the second change.
Note that it is still possible to set non-secure origin exceptions through the
the settings UI: chrome://settings/contentExceptions#midi-sysex

Please consider adding a similar protection there, or simply disable editing as
we do with some other types, such as geolocation or fullscreen.
Project Member Comment 4 by, Mar 30 2015
The following revision refers to this bug:

commit 9eb573f4ea26fbc1ad3ba3d1988d5227b80fed36
Author: toyoshim <>
Date: Mon Mar 30 10:39:39 2015

Web MIDI API: reject sysex permissions on non-secure schemes

Since sysex messages are so powerful, Chrome does not allow sysex
permission for any requests from non-secure schemes.

TEST=manual check with simple page, and embedded iframe page.
BUG= 470170 

Review URL:

Cr-Commit-Position: refs/heads/master@{#322761}


Comment 5 by, Mar 31 2015
Can we mark this as Fixed?
one more fix is coming for content settings UI.
Project Member Comment 7 by, Apr 1 2015
The following revision refers to this bug:

commit ccabd7eb46c3a472c4be96cac6209c966ac354f8
Author: toyoshim <>
Date: Wed Apr 01 02:58:30 2015

Web MIDI API: disallow to add custom exceptions on content settings UI

To disallow to add exceptions for non-secure origin, make midi-sysex
permission impossible to edit on content settings UI for now.

BUG= 470170 

Review URL:

Cr-Commit-Position: refs/heads/master@{#323173}


Is http://localhost considered secure? It would be useful to keep this working for sysex.
I'd check it and enable localhost if needed.
Seems like the localhost part is better solved by just waiting for  issue 362214  to be resolved. I don't feel strongly to request a special case for Web MIDI here.
Project Member Comment 13 by, Apr 2 2015
The following revision refers to this bug:

commit 78fb2d9a429de070b0d7c9c57710cffa52c4b52b
Author: toyoshim <>
Date: Thu Apr 02 20:27:31 2015

Web MIDI: allow http://localhost to prompt sysex permission

Allow to obtain a sysex permission for localhost even if the scheme is
non-secure. This is inteded for to use for testing.

TEST=manual check with http://localhost:xxx and
BUG= 470170 

Review URL:

Cr-Commit-Position: refs/heads/master@{#323555}


Status: Fixed
Project Member Comment 15 by, Apr 17 2015
The following revision refers to this bug:

commit 298d7eb01ab6f9c1f8781a31c2fddc13f9e4e4e2
Author: palmer <>
Date: Fri Apr 17 21:09:23 2015

Use IsOriginSecure when checking Web MIDI SYSEX capability.

Rather than the previous ad hoc check. IsOriginSecure is the standard way.

BUG= 362214 , 470170 

Review URL:

Cr-Commit-Position: refs/heads/master@{#325717}


Sign in to add a comment