Geolocation, fullscreen, camera, mic, screen capture requests from cross-origin <iframe> are now disabled by default

Published: | Categories: Audio & Video, DOM, Privacy & Security

Description

Firefox 73 has added the support for Feature Policy that allows web developers to control the behaviour of various web platform features and APIs. The new allow attribute on the <iframe> element can be used to control features within the <iframe>, where certain features are now disabled for third parties by default in an effort to avoid confusion for users.

These features can no longer be used in cross-origin <iframe>s unless the feature is explicitly enabled with the allow attribute:

So, for example, if you’d like to allow a third-party <iframe> to use the Geolocation API, you have to write something like this, otherwise their permission request will be silently blocked:

<iframe src="https://maps.example.com/" allow="geolocation"></iframe>

These features can no longer be used in cross-origin <iframe>s even if you use the allow attribute:

  • Persistent storage via navigator.storage.persist()
  • Notifications API (since Firefox 70)
  • Vibration API (since Firefox 72)

References