← Back to release summary

Deprecate on-by-default Permissions in Cross-origin Iframes

Category

Security

Type

New or changed feature

Status

Enabled by default (Chrome 64)

Intent stage

None

Summary

It’s proposed that by default the following permissions cannot be requested or granted to content contained in cross-origin iframes: Geolocation Midi Encrypted media extensions Microphone and Camera In order for a cross-origin frame to get access to these permissions, the embedding page must specify a Feature Policy which enables the feature for the frame. For example, to enable geolocation in an iframe, the embedder could specify the iframe tag as: <iframe src="..." allow="geolocation">

Standards & signals

• Firefox: No signal
• Safari: No signal
• Web developers: No signals
• Tracking bug: https://bugs.chromium.org/p/chromium/issues/detail?id=689802

Docs: https://sites.google.com/a/chromium.org/dev/Home/chromium-security/deprecating-permissions-in-cross-origin-iframes

View on chromestatus.com