On Monday 2018-07-30 17:03 -0700, Kip Gilbert wrote: > Is this feature enabled by default in sandboxed iframes? > WebXR will not be enabled by default in sandboxed iframes. This will likely > be enabled later, by use of Feature Policy: > https://github.com/immersive-web/webxr/issues/86 > <https://github.com/immersive-web/webxr/issues/86>
I'm curious why this is specific to sandboxed iframes, rather than, say, any cross-origin iframes (and perhaps also same-origin sandboxed ones). That said, some of this concern comes from not being sure what it looks like to a user if a page wants to use XR. Is there some sort of permission prompt or request that the user sees first? If there is... what domain is it associated with? One of the goals of feature policy is to allow permission requests be *associated* only with the toplevel page. This is useful since permission requests coming from subframes aren't particularly meaningful and are also confusing -- they don't correspond to the URL bar, it's not clear what persisting them would mean, etc. A page would be able to use feature policy to delegate their ability to use/request capabilities to a cross-origin frame. Without that delegation a cross-origin subframe would not have access to the capability; with the delegation requests from the cross-origin frame would appear as though they come from the toplevel document (and if remembered, would be remembered as such). *If* something like that is the model here, then maybe a cross-origin iframes restriction rather than a sandbox iframes restriction makes more sense. -David -- 𝄞 L. David Baron http://dbaron.org/ 𝄂 𝄢 Mozilla https://www.mozilla.org/ 𝄂 Before I built a wall I'd ask to know What I was walling in or walling out, And to whom I was like to give offense. - Robert Frost, Mending Wall (1914)
signature.asc
Description: PGP signature
_______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
