no audio/video permission for cross origin iframe when the iframe is redirected to a different domain
Reported by
xsvengo...@gmail.com,
Jan 19 2018
|
|||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0 Steps to reproduce the problem: 1. Host the example web page somewhere 2. Edit 2.html so that it has the correct link to open 3.html 3. Open 1.html by the file 4. Open the developer tools and observe that the console is printing an alert about denied audio/video capture permissions What is the expected behavior? The console shall print "getUserMedia succeeded" and there shouldn't be any alerts visible that state denied audio/video capture permissions What went wrong? It looks like there's a case not being handled with the new cross origin iframe permission stuff (detailed here: https://sites.google.com/a/chromium.org/dev/Home/chromium-security/deprecating-permissions-in-cross-origin-iframes). The first page contains an iframe with allow="camera; microphone" and src="2.html". The second page will perform a redirect to 3.html by setting window.location. I was able to perform the test with Firefox 57.0.4 and it worked. This was the easiest way to create an example page to test with, but my actual use case in the field involves 3 different domains. Domain 1 loads an iframe with a source from Domain 2. Domain 2 requests video and audio devices and is granted access; it works. Domain 2 then redirects to Domain 3 which requests video and audio devices and fails; cross origin permission error. I'm not sure how it should work since this is all new functionality, but I would imagine that Chrome would prompt the user for permission again. Did this work before? N/A Does this work in other browsers? Yes Chrome version: 64.0.3282.99 (Official Build) beta (64-bit) (cohort: Beta) Channel: beta OS Version: 6.1 (Windows 7, Windows Server 2008 R2) Flash Version: 28.0.0.137
,
Feb 15 2018
We have the exact same issue. Since M64, a partner integration in an iframe is completely broken. It was working fine for months prior to the M64 release. We added the allow="microphone; camera" to the iframe, but it still doesn't work as they do a redirect to one of their subdomain before request access to the camera and microphone. Their flow (domain edited) starts on something like authentication.example.org, then redirects on successful auth to go.example.org. It still works on Firefox, all existing and relevant versions.
,
Feb 15 2018
I had mentioned Firefox in my report, but it's sort of irrelevant because Firefox doesn't have the added security feature that Chrome implemented in 64.
,
Feb 16 2018
We've solved the issue with test pages by using a header for the parent page: Feature-Policy microphone *; camera *; speaker * Since usermedia cannot be used: https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/uKO1CwiY3ts https://bugs.chromium.org/p/chromium/issues/detail?id=666765&desc=2 One could use more restrictive rules of course. It looks like the iframe "allow" approach simply doesn't work as is. Which I guess makes sense for different domains, less sense for subdomains. I hope this helps.
,
Mar 6 2018
,
Mar 6 2018
,
Mar 6 2018
,
Mar 16 2018
<iframe src="https://example.com/" allow="microphone;camera;speaker"> will allow those features to be used in the frame as long as the document in that frame is hosted at https://example.com. If it redirects, or allows the user to navigate to a different site, then the features will not be available. There are a couple of ways to allow it after a redirect -- if you know that the final page which needs to call getUserMedia is, say, https://example.net/, then you can allow that origin specifically: <iframe src="https://example.com/" allow="microphone https://example.net;camera https://example.net;speaker https://example.net"> If it *might* redirect there, and might not, you can supply both origins: <iframe src="https://example.com/" allow="microphone https://example.com https://example.net;camera https://example.com https://example.net;speaker https://example.com https://example.net"> (As a shorthand, 'src' can be used to refer to the origin of the document named in the src attribute, so you could use <iframe src="https://example.com/" allow="microphone 'src' https://example.net;camera 'src https://example.net;speaker 'src' https://example.net"> ) If you don't know where the frame is going to go, but want to allow access to the features in the frame, no matter where it navigates to, then you can use * to indicate 'all origins': <iframe src="https://example.com/" allow="microphone *;camera *;speaker *"> Be aware that *any* content loaded into that frame will have access to the user's camera and microphone in that case, though. If the user can be convinced to click a link to a malicious site, then that site could gain access to those devices (hence the safer default).
,
Mar 22 2018
|
|||||
►
Sign in to add a comment |
|||||
Comment 1 by ajha@chromium.org
, Jan 23 2018