KEMBAR78
Removed use of responsible and active and focused documents by asajeffrey · Pull Request #1030 · immersive-web/webxr · GitHub
Skip to content

Conversation

asajeffrey
Copy link

@asajeffrey asajeffrey commented May 11, 2020

The definition of "transitory consent" already requires that the UI control that triggered the consent event must either be a descendant of the browsing context requesting the session, or a same-origin ancestor. So it's not obvious that the extra security checks are buying anything.

Fixes #873.


Preview | Diff

@asajeffrey
Copy link
Author

cc @avadacatvera

@asajeffrey
Copy link
Author

I can't spell @avadacatavra

@Manishearth
Copy link
Contributor

The definition of "transitory consent" already requires that the UI control that triggered the consent event must either be a descendant of the browsing context requesting the session, or a same-origin ancestor.

Can we perhaps have a note somewhere that underscores this? Also, we don't seem to link to "transitory consent" anywhere?

@asajeffrey
Copy link
Author

Sorry, I meant "transient activation" not "transitory consent". It's in the defn of immersive-session-allowed.

Good idea re a note.


1. Let |document| be the document that owns |session|.
1. If the request does not originate from |document|, return <code>false</code>.
1. If |document| is not [=active and focused=], return <code>false</code>.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, isn't removing this a behavior change?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually, we handle this in the "currently focused area" section.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, this is a behavior change, in that in the old spec there was a race condition, if a user gave consent (e.g. by clicking on en "enter VR" button) then quickly changed the focus to an iframe, the old check would fail but the new check succeeds.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't understand: this is a per-frame thing about when poses can be reported. What per-frame behavior is here now?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, I hadn't realized we were doing this per-frame. Er, why are we doing that? Do we really want that a user changing their mouse focus on the original document causes a security error in the XR content?

(Also, looking at https://pr-preview.s3.amazonaws.com/asajeffrey/webxr-spec/pull/1030.html#poses-may-be-reported I realize it needs an edit, since it refers to request which isn't in scope).

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't tabbing out of a tethered session pause the session?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is weird that tabbing out would cause an exception to be thrown, though. In this case it might be better to report a null pose (something I plan to bring up later)

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I still think we shouldn't base pose data on the state of the originating document, since the user can't see the originating document while they've got a headset on

I added back text requiring document visibility, we should discuss this in a separate issue.

@toji toji added this to the Pre-CR milestone May 15, 2020
@Manishearth Manishearth merged commit dc36a92 into immersive-web:master May 15, 2020
Manishearth added a commit to Manishearth/webxr that referenced this pull request May 22, 2020
This was removed in immersive-web#1030 because the original language was not rigorous enough. Reintroducing the check using better language.
kearwood pushed a commit to kearwood/webxr that referenced this pull request Aug 7, 2020
This was removed in immersive-web#1030 because the original language was not rigorous enough. Reintroducing the check using better language.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

"responsible" is not an adjective that can be applied to documents

3 participants