keyboard-map
keyboard-map copied to clipboard
WICG
Clarification needed regarding permissions policy integration
The Question
As of now, the getLayoutMap() algorithm states:
If this's relevant global object's associated Document is not allowed to use the policy-controlled permission named "keyboard-map", reject the promise.
But the Privacy Mitigations section states:
[T]he API is only available from secure contexts and can only be called from the currently active top-level browsing context or granted access via policy-controlled feature.
These two statements contradict each other in the case when top-level browsing context does not have the permission.
As of October 2023, Chrome/Chromium implementation follows the Privacy Mitigations version and ignores the permission policy state in top-level frame and allows access even if keyboard-map is explicitly forbidden. Chromium issue here. As of October 2023, there is no WPT specifically for this case.
Background
Originally, getLayoutMap() was allowed only from top-level context and did not have any other restrictions. Then in #38 there was some discussion about access from sub-frames, which resulted in keyboard-map Permissions Policy.
Chronology of most important events:
- commit https://github.com/WICG/keyboard-map/commit/78cfc488458175bf0ac48c2af3737ad6f3e47647 added
keyboard-mappermission identifier with default allow-list'self' - commit https://github.com/WICG/keyboard-map/commit/9237b2630b9cf408f6a8e7c938bd1f334f78079f updated the
getLayoutMap()algorithm to use the permission replacing the mention of top-level browsing context with the new permission. Please note that since the default allow list was'self', the top-level document was still allowed access by default. - in this commit Chromium implemented
keyboard-mappermission but did not remove the mention of top-level browsing context, effectively putting it in conflict with the specification. Note: the new WPT did not get a dedicated test specifically for the case of top-level context having explicit Permissions Policykeyboard-map=()and trying to access the API. - commit https://github.com/WICG/keyboard-map/commit/bf67454b5eda610b28fa97c9aede77a7ff912bfd updated the "Privacy Mitigations" section adding wording about
keyboard-mappermission but not removing the mention of top-level browsing context. This was in direct contradiction with the previous commit9237b26. - (inconsequential) Chromium commit moved the check from Blink renderer process to the core browser process.
- (inconsequential) Chromium issue was filed specifically about this ambiguity.
Possible solutions
Remove access from top-level context when it is explicitly forbidden by Permissions Policy
- This will likely reflect the intent of the Permissions Policy system better.
- This will not change behavior for most websites since they do not specify
keyboard-mappermission. - This will require a one-line change to Chromium
KeyboardLockServiceImpl::GetKeyboardLayoutMap()method. - This will require change to "Privacy Mitigations" section. PR #45 implements this change.
- This will require a WPT test.
Allow access from top-level context even in case of explicit restriction
- This will reflect the current Chromium behavior better.
- This will not change behavior for any websites at all.
- This will require no changes on Chromium side.
- This will require change to the
getLayoutMap()algorithm. - This will require a WPT test.
I can crate a Chromium CL for either solution once there is a consensus which option to take. I would favor the first solution (consistency with Permissions Policy).
Related discussion
This came up in uBlock Origin discussion.
