Hi All, On Wednesday, June 8, 2022 at 12:05:48 PM UTC+10 Matt Giuca wrote:
> Hi folks, > > I've followed up on this internally at Google (talking to Chrome and > YouTube people) and also had a private thread with Marcos. > > Marcos has proposed just changing the spec (and by extension, Gecko) to > make the permission policy be "*" by default, essentially codifying Chrome > and Safari's current behaviour of allowing embeds to use Web Share without > permission, but giving embedders the option to explicitly block it: > https://github.com/w3c/web-share/pull/234 > > My preference is actually to try and enforce the current spec (default of > "self") which would mean YT and other embeds are blocked from using Web > Share by default, unless granted permission by the embedder. > 'self' is my preference also and I'd be more than happy to close the PR for the proposal above (#234). Short of removing the permissions policy entirely, #234 was basically the only means we had to deal with the web compat issues that have arisen. But it's super encouraging to hear "self" could be back on the table. 🙏 As I see it, the only major issue with YouTube being a huge user of Web > Share in iframes, is that the share button is apparently broken (as in, if > clicked, it throws a JS exception) if the permission is blocked. That's > simply a bug which we can get YouTube to fix (I am following up internally > with YouTube). If that bug is fixed, then I don't see a problem with the > share button falling back to use the internal in-page share UI (rather than > using the Web Share API) on the majority of embedded YT videos, with the > option for embedders to grant the permission if they want that UI to work. > > Either way, we should come to a consensus on this and align the spec and > three implementations in relatively short order (O(days-weeks)). > That would be amazing. In the meantime, we've updated WebKit to use "*" as I was left with little option because of the breakage. However, if we get agreement on "self" and some kind of timeframe form Chrome, I can revert that form WebKit and we can work towards an interoperable solution ('self'). FWIW, Firefox is also shipping with 'self' as the policy [1], which means it's also affecting their Windows and Android implementations. [1] https://github.com/mozilla/gecko-dev/blob/1e13dfc1bd87c3747d6712807401c590d0211a46/dom/security/featurepolicy/FeaturePolicyUtils.cpp#L37 Looking forward to a speedy resolution! -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/a965fc70-f24f-49f4-8ddf-378e7730f02cn%40chromium.org.