feedback icon indicating copy to clipboard operation
feedback copied to clipboard

Add "window-placement" to iframe permissions

Open mootari opened this issue 4 years ago • 13 comments

Is your feature request related to a problem? Please describe.

Multi-Screen Window Placement is a fairly new web API that is currently in draft. It allows more refined control over window placement in multi-screen environments, and is currently the only way to restore window positions to second displays. More details can be found in the explainer.

Chrome launched an origin trial in Chrome 93, where the feature is currently hidden behind the #enable-experimental-web-platform-features flag. It is estimated to fully ship in Chrome 97. For more details and further links please see Intent to Experiment: Multi-Screen Window Placement.

Chrome is currently the only browser to implement this new API.

Describe the solution you'd like

Sandboxed iframes by default don't have access to the API. To grant access, the keyword window-placement must be added to the iframe's allow attribute.

mootari avatar Sep 29 '21 20:09 mootari

This feature was first requested in Windows Placement API to new for observable.

mootari avatar Sep 29 '21 20:09 mootari

Do you know of any risks involved in allowing it?

visnup avatar Sep 29 '21 21:09 visnup

@visnup According to Security & Privacy it exposes more vectors for fingerprinting, but other than that should be safe.

mootari avatar Sep 29 '21 21:09 mootari

Can you provide a little more context on how you want to use this feature?

mbostock avatar Sep 29 '21 21:09 mbostock

@mbostock I have two use cases:

  1. Opening a window at a previously stored position on a secondary monitor. With the current window positioning API the window's offset is clamped to the primary display.
  2. Showing a map of multiple windows and managing their arrangement across multiple displays.

Note that access to the API must still be granted explicitely by the user, for the current domain. You can test this yourself by following these steps:

  1. In Chrome, enable chrome://flags/#enable-experimental-web-platform-features and restart Chrome.
  2. Open any page in an incognito window.
  3. In the dev tools console, execute getScreens()

Alternatively, to test the API within Observable follow step 1, then run the following code in a cell:

window.open().getScreens()

mootari avatar Sep 29 '21 21:09 mootari

Are there any major concerns that would block this change?

mootari avatar Oct 14 '21 12:10 mootari

Could this be solved in general with settings to allow me to add permissions to my notebook iframe e.g. I had this notebook https://observablehq.com/@ryanseddon/chrome-ai that no longer works due to the language model needing allow="language-model" in a recent update. There is also a few other allow properties too for some other APIs

ryanseddon avatar Jul 16 '25 11:07 ryanseddon

@ryanseddon Tbh I don't see that happening since it would be too narrow with too many caveats to justify the effort it would require to implement and maintain.

For now you might be able to proxy access to the API via a popup window. Check out this notebook for examples: https://observablehq.com/@mootari/powerful-features

mootari avatar Jul 16 '25 13:07 mootari

@mootari thanks, not sure if I'm understanding how to request the permissions correctly I have this notebook but it still returns the "unavailable" from the proxied window https://observablehq.com/d/21a54e3494cec66c

ryanseddon avatar Jul 17 '25 05:07 ryanseddon

@ryanseddon Works for me after enabling chrome://flags/#prompt-api-for-gemini-nano

Image

I was also able to start a model download, didn't test any further though.

Btw, you don't need to fork the notebook. You can import the helper via

import {request} from "@mootari/powerful-features"

mootari avatar Jul 17 '25 08:07 mootari

Of course I have that enabled I've been working with it for months. I have the model downloaded but it gives me unavailable when it should be be available like I do directly in the console.

Image Image

Trying to start a session gives me permission denied Image

ryanseddon avatar Jul 17 '25 10:07 ryanseddon

@ryanseddon Can you please open a discussion in https://github.com/observablehq/feedback/discussions? I'll follow up there.

mootari avatar Jul 17 '25 10:07 mootari

Done https://github.com/observablehq/feedback/discussions/656

ryanseddon avatar Jul 17 '25 11:07 ryanseddon