Disable web midi by default in cross-origin iframes
raymeskhoury opened this issue · 4 comments
We would like to explore disabling midi by default for cross-origin iframes. The idea is that it would be possible for the embedder to re-enable midi using the proposed Feature Policy mechanism.
The change is proposed mainly for the sake of security (see the doc below) but incidentally, this change may help with the current misuse of the midi API for fingerprinting.
Midi already has a failure mode that occurs as a result of the user denying permission. This same failure mode can be reused but we probably still want to alter the spec to include the additional check to see if the feature is allowed by Feature Policy.
Note that this issue is mainly just intended to start the discussion about this change :) Several things would have to happen before we could land it, including Feature Policy being nailed down. The motivations for this change and a discussion of compatibility risk can be found here: https://docs.google.com/document/d/13dp9xWVyGM8THAQohDOT2mMOTSGLxEhSZEvgpmVLrxU/edit
LGTM.
This same failure mode can be reused
Yes, we can return "SecurityError" for such case.
but we probably still want to alter the spec to include the additional check to see if the feature is allowed by Feature Policy.
Is there any concrete idea for this? I'm not sure what is actually needed here, but Permissions API may satisfy most use cases, or extending it would work?
As long as we don't land the feature prior to having a Feature Policy way to turn it back on, I'm all for this change.
Is there any concrete idea for this? I'm not sure what is actually needed here, but Permissions API may satisfy most use cases, or extending it would work?
I hope @clelland will be able to help us with this once the FP spec is finished
As long as we don't land the feature prior to having a Feature Policy way to turn it back on, I'm all for this change.
+1 :)
This has been integrated via the Feature Policy and Permissions integration.