New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 625044 link

Starred by 14 users
Status: Fixed
Owner:
kenjibaheux@chromium.org
Last visit > 30 days ago
Closed: Jan 2017
Cc:
bi...@google.com
ojan@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 3
Type: Launch-OWP
Launch-Accessibility: NA
Launch-Exp-Leadership: ----
Launch-Leadership: ----
Launch-Legal: ----
Launch-M-Approved: ----
Launch-M-Target: ----
Launch-Privacy: NA
Launch-Security: NA
Launch-Test: ----
Launch-UI: NA
Rollout-Type: ----

Blocking:
issue 704650
issue 638732
issue 683938



Sign in to add a comment

Block navigator.vibrate in cross origin iframes

Project Member Reported by kenjibaheux@chromium.org, Jul 1 2016 
Change description:
Block navigator.vibrate in cross-origin iframes (the call of navigator.vibrate will be no-op inside cross-origin iframes).



Motivation

Vibrate is being abused by unsafe third-party content (eg., malicious ads), and some users have complained about it (e.g., this reddit thread). To better protect user, we would like to block vibrate if it is called in cross-origin iframes (eg., a lot of ads are rendered inside iframes). 



Interoperability and Compatibility Risk

The measurement from Chrome shows that vibrate in (same-origin+cross-origin) iframes is being used by ~0.00025% of pages (the metrics link), and so it is considered a low risk removal.
Meanwhile, if needed, we could provide a permission API to re-enable it, since the permissions/feature-policy work is moving forward and will probably ship by the end of the year.

Comment 1 by kenjibaheux@chromium.org, Jul 1 2016

Labels: Launch-Accessibility-NA

Comment 3 by emilyschechter@chromium.org, Aug 17 2016

Blocking: 638732

Comment 4 by bi...@google.com, Sep 19 2016 

Just for the record purpose, the original bug is
https://bugs.chromium.org/p/chromium/issues/detail?id=621397
Project Member

Comment 5 by bugdroid1@chromium.org, Sep 29 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/73c8d462f16d232661175c790bf476f4cda24874

commit 73c8d462f16d232661175c790bf476f4cda24874
Author: binlu <binlu@google.com>
Date: Thu Sep 29 18:23:55 2016

Block navigator.vibrate in cross-domain iframe.
Intent to implement and ship: https://groups.google.com/a/chromium.org/d/msg/blink-dev/7iVcwNcO3xw/WQSkkuk5BQAJ

BUG= 625044 

Review-Url: https://codereview.chromium.org/2354433002
Cr-Commit-Position: refs/heads/master@{#421873}

[add] https://crrev.com/73c8d462f16d232661175c790bf476f4cda24874/third_party/WebKit/LayoutTests/http/tests/security/resources/cross-origin-iframe-for-vibrate-blocked.html
[add] https://crrev.com/73c8d462f16d232661175c790bf476f4cda24874/third_party/WebKit/LayoutTests/http/tests/security/resources/same-origin-iframe-for-vibrate-allowed.html
[add] https://crrev.com/73c8d462f16d232661175c790bf476f4cda24874/third_party/WebKit/LayoutTests/http/tests/security/vibrate_in_cross_origin_iframe_blocked-expected.txt
[add] https://crrev.com/73c8d462f16d232661175c790bf476f4cda24874/third_party/WebKit/LayoutTests/http/tests/security/vibrate_in_cross_origin_iframe_blocked.html
[add] https://crrev.com/73c8d462f16d232661175c790bf476f4cda24874/third_party/WebKit/LayoutTests/http/tests/security/vibrate_in_same_origin_iframe_allowed-expected.txt
[add] https://crrev.com/73c8d462f16d232661175c790bf476f4cda24874/third_party/WebKit/LayoutTests/http/tests/security/vibrate_in_same_origin_iframe_allowed.html
[modify] https://crrev.com/73c8d462f16d232661175c790bf476f4cda24874/third_party/WebKit/Source/modules/vibration/NavigatorVibration.cpp

Comment 6 by bi...@google.com, Jan 18 2017 

An update: For now, the vibrate function could be turned on by the web site owners (See https://bugs.chromium.org/p/chromium/issues/detail?id=623682):
For example, if you have an iframe (src=B.com) that you'd like to enable vibrate for it, you will have to include a header: "Feature-Policy: {"vibrate": [B.com]}". Alternatively you can enable vibrate for all iframes by "Feature-Policy: {"vibrate": [*]}" or all same-origin iframes by "Feature-Policy: {"vibrate": [self]}". If you want to disable it, you can do "Feature-Policy: {"vibrate": []}".
By default vibrate is enabled for self, which means current frame and same-origin iframes have permission to vibrate.

Also we are working on implementing iframe attribute for feature policy (please see https://github.com/WICG/feature-policy/ and  crbug.com/682258 ). So you will be able to enable vibrate for any iframe in a couple of months by something like:
<iframe src=... enable="vibrate"></iframe>

Comment 7 by rbyers@chromium.org, Jan 23 2017

Labels: -M-54 M-55
Status: Fixed (was: Assigned)
This behavior (blocking navigator.vibrate in cross origin iframes) shipped in Chrome 55.  Let's file new bugs to track any follow-up changes to the behavior so make the state clear from the milestone labels.

Comment 8 by rbyers@chromium.org, Jan 23 2017

Blocking: 683938

Comment 9 by rbyers@chromium.org, Jan 23 2017 

Filed  issue 683938  to track relaxing this however we can in Chrome 57.

Comment 10 by rbyers@chromium.org, Mar 27 2017

Blocking: 704650

Sign in to add a comment