Breaking Geolocation, fullscreen, camera, mic, screen capture requests from cross-origin <iframe> are now disabled by default

Published:

Categories: Audio & Video, DOM, Privacy & Security

Releases: Firefox 74

Description

Firefox 74 has added the support for Feature Policy that allows web developers to control the behaviour of various web platform features and APIs. The new allow attribute on the <iframe> element can be used to control features within the <iframe>, where certain features are now disabled for third parties by default in an effort to avoid confusion for users.

These features can no longer be used in cross-origin <iframe>s unless the feature is explicitly enabled with the allow attribute:

So, for example, if you’d like to allow a third-party <iframe> to use the Geolocation API, you have to write something like this, otherwise their permission request will be silently blocked:

<iframe src="https://maps.example.com/" allow="geolocation"></iframe>

These features can no longer be used in cross-origin <iframe>s even if you use the allow attribute:

  • Persistent storage via navigator.storage.persist()
  • Notifications API (since Firefox 70)
  • Vibration API (since Firefox 72)

Update: The change has been postponed from Firefox 73 to 74.

Update 2: Google Hangouts is affected by this change, where mic access from Gmail doesn’t work. Also, video players’ fullscreen button is not working on AOL-owned web properties including HuffPost, Engadget and TechCrunch.

References