Add deprecation warnings for permission API usage from iframes

This adds deprecation warnings when the following APIs are used from cross
origin iframes:
-getCurrentPosition and watchPosition
-requestMIDIAccess
-requestMediaKeySystemAccess
-getUserMedia

A message is only logged if the feature would be disallowed by feature policy.

BUG=689802

Review-Url: https://codereview.chromium.org/2945223002
Cr-Commit-Position: refs/heads/master@{#485491}

third_party/WebKit/Source/core/frame/Deprecation.cpp

@@ -11,6 +11,7 @@
 #include "core/inspector/ConsoleMessage.h"
 #include "core/page/Page.h"
 #include "core/workers/WorkerOrWorkletGlobalScope.h"
+#include "public/platform/WebFeaturePolicyFeature.h"
 
 namespace {
 
@@ -70,6 +71,18 @@ String replacedWillBeRemoved(const char* feature,
       feature, milestoneString(milestone), replacement, details);
 }
 
+String DeprecatedWillBeDisabledByFeaturePolicyInCrossOriginIframe(
+    const char* function,
+    const char* allow_string,
+    Milestone milestone) {
+  return String::Format(
+      "%s usage in cross-origin iframes is deprecated and will be disabled in "
+      "%s. To continue to use this feature, it must be enabled by the "
+      "embedding document using Feature Policy, e.g. "
+      "<iframe allow=\"%s\" ...>. See https://goo.gl/EuHzyv for more details.",
+      function, milestoneString(milestone), allow_string);
+}
+
 }  // anonymous namespace
 
 namespace blink {
@@ -180,6 +193,58 @@ void Deprecation::CountDeprecationCrossOriginIframe(const Document& document,
   CountDeprecationCrossOriginIframe(frame, feature);
 }
 
+void Deprecation::CountDeprecationFeaturePolicy(
+    const Document& document,
+    WebFeaturePolicyFeature feature) {
+  LocalFrame* frame = document.GetFrame();
+  if (!frame)
+    return;
+
+  // If the feature is allowed, don't log a warning.
+  if (frame->IsFeatureEnabled(feature))
+    return;
+
+  // If the feature is disabled, log a warning but only if the request is from a
+  // cross-origin iframe. Ideally we would check here if the feature is actually
+  // disabled due to the parent frame's policy (as opposed to the current frame
+  // disabling the feature on itself) but that can't happen right now anyway
+  // (until the general syntax is shipped) and this is also a good enough
+  // approximation for deprecation messages.
+  switch (feature) {
+    case WebFeaturePolicyFeature::kEme:
+      CountDeprecationCrossOriginIframe(
+          frame,
+          WebFeature::
+              kEncryptedMediaDisallowedByFeaturePolicyInCrossOriginIframe);
+      break;
+    case WebFeaturePolicyFeature::kGeolocation:
+      CountDeprecationCrossOriginIframe(
+          frame,
+          WebFeature::kGeolocationDisallowedByFeaturePolicyInCrossOriginIframe);
+      break;
+    case WebFeaturePolicyFeature::kMicrophone:
+      CountDeprecationCrossOriginIframe(
+          frame,
+          WebFeature::
+              kGetUserMediaMicDisallowedByFeaturePolicyInCrossOriginIframe);
+      break;
+    case WebFeaturePolicyFeature::kCamera:
+      CountDeprecationCrossOriginIframe(
+          frame,
+          WebFeature::
+              kGetUserMediaCameraDisallowedByFeaturePolicyInCrossOriginIframe);
+      break;
+    case WebFeaturePolicyFeature::kMidiFeature:
+      CountDeprecationCrossOriginIframe(
+          frame,
+          WebFeature::
+              kRequestMIDIAccessDisallowedByFeaturePolicyInCrossOriginIframe);
+      break;
+    default:
+      NOTREACHED();
+  }
+}
+
 String Deprecation::DeprecationMessage(WebFeature feature) {
   switch (feature) {
     // Quota
@@ -449,6 +514,25 @@ String Deprecation::DeprecationMessage(WebFeature feature) {
           "is deprecated, and is planned to be removed in %s. Please refer to "
           "https://goo.gl/EGXzpw for possible migration paths.",
           milestoneString(M65));
+    case WebFeature::
+        kEncryptedMediaDisallowedByFeaturePolicyInCrossOriginIframe:
+      return DeprecatedWillBeDisabledByFeaturePolicyInCrossOriginIframe(
+          "requestMediaKeySystemAccess", "encrypted-media", M63);
+    case WebFeature::kGeolocationDisallowedByFeaturePolicyInCrossOriginIframe:
+      return DeprecatedWillBeDisabledByFeaturePolicyInCrossOriginIframe(
+          "getCurrentPosition and watchPosition", "geolocation", M63);
+    case WebFeature::
+        kGetUserMediaMicDisallowedByFeaturePolicyInCrossOriginIframe:
+      return DeprecatedWillBeDisabledByFeaturePolicyInCrossOriginIframe(
+          "getUserMedia (microphone)", "microphone", M63);
+    case WebFeature::
+        kGetUserMediaCameraDisallowedByFeaturePolicyInCrossOriginIframe:
+      return DeprecatedWillBeDisabledByFeaturePolicyInCrossOriginIframe(
+          "getUserMedia (camera)", "camera", M63);
+    case WebFeature::
+        kRequestMIDIAccessDisallowedByFeaturePolicyInCrossOriginIframe:
+      return DeprecatedWillBeDisabledByFeaturePolicyInCrossOriginIframe(
+          "requestMIDIAccess", "midi", M63);
 
     // Features that aren't deprecated don't have a deprecation message.
     default:

third_party/WebKit/Source/core/frame/Deprecation.h

@@ -14,6 +14,7 @@
 namespace blink {
 
 class LocalFrame;
+enum class WebFeaturePolicyFeature;
 
 class CORE_EXPORT Deprecation {
   DISALLOW_NEW();
@@ -47,6 +48,9 @@ class CORE_EXPORT Deprecation {
   // have script access into the top level document.
   static void CountDeprecationCrossOriginIframe(const LocalFrame*, WebFeature);
   static void CountDeprecationCrossOriginIframe(const Document&, WebFeature);
+
+  static void CountDeprecationFeaturePolicy(const Document&,
+                                            WebFeaturePolicyFeature);
   static String DeprecationMessage(WebFeature);
 
   // Note: this is only public for tests.

third_party/WebKit/Source/modules/encryptedmedia/NavigatorRequestMediaKeySystemAccess.cpp

@@ -30,6 +30,7 @@
 #include "platform/wtf/text/WTFString.h"
 #include "public/platform/WebEncryptedMediaClient.h"
 #include "public/platform/WebEncryptedMediaRequest.h"
+#include "public/platform/WebFeaturePolicyFeature.h"
 #include "public/platform/WebMediaKeySystemConfiguration.h"
 #include "public/platform/WebMediaKeySystemMediaCapability.h"
 #include "public/platform/WebVector.h"
@@ -330,6 +331,8 @@ ScriptPromise NavigatorRequestMediaKeySystemAccess::requestMediaKeySystemAccess(
   UseCounter::Count(*document, WebFeature::kEncryptedMediaSecureOrigin);
   UseCounter::CountCrossOriginIframe(
       *document, WebFeature::kEncryptedMediaCrossOriginIframe);
+  Deprecation::CountDeprecationFeaturePolicy(*document,
+                                             WebFeaturePolicyFeature::kEme);
 
   // 4. Let origin be the origin of document.
   //    (Passed with the execution context.)

third_party/WebKit/Source/modules/geolocation/Geolocation.cpp

@@ -41,6 +41,7 @@
 #include "platform/wtf/Assertions.h"
 #include "platform/wtf/CurrentTime.h"
 #include "public/platform/Platform.h"
+#include "public/platform/WebFeaturePolicyFeature.h"
 #include "services/service_manager/public/cpp/interface_provider.h"
 
 namespace blink {
@@ -151,6 +152,8 @@ void Geolocation::RecordOriginTypeAccess() const {
     UseCounter::Count(document, WebFeature::kGeolocationSecureOrigin);
     UseCounter::CountCrossOriginIframe(
         *document, WebFeature::kGeolocationSecureOriginIframe);
+    Deprecation::CountDeprecationFeaturePolicy(
+        *document, WebFeaturePolicyFeature::kGeolocation);
   } else if (GetFrame()
                  ->GetSettings()
                  ->GetAllowGeolocationOnInsecureOrigins()) {
@@ -165,6 +168,8 @@ void Geolocation::RecordOriginTypeAccess() const {
         WebFeature::kGeolocationInsecureOriginIframeDeprecatedNotRemoved);
     HostsUsingFeatures::CountAnyWorld(
         *document, HostsUsingFeatures::Feature::kGeolocationInsecureHost);
+    Deprecation::CountDeprecationFeaturePolicy(
+        *document, WebFeaturePolicyFeature::kGeolocation);
   } else {
     Deprecation::CountDeprecation(document,
                                   WebFeature::kGeolocationInsecureOrigin);

third_party/WebKit/Source/modules/mediastream/UserMediaRequest.cpp

@@ -48,6 +48,7 @@
 #include "modules/mediastream/UserMediaController.h"
 #include "platform/mediastream/MediaStreamCenter.h"
 #include "platform/mediastream/MediaStreamDescriptor.h"
+#include "public/platform/WebFeaturePolicyFeature.h"
 
 namespace blink {
 
@@ -402,6 +403,15 @@ bool UserMediaRequest::IsSecureContextUse(String& error_message) {
                       WebFeature::kGetUserMediaSecureOrigin);
     UseCounter::CountCrossOriginIframe(
         *document, WebFeature::kGetUserMediaSecureOriginIframe);
+    if (Audio()) {
+      Deprecation::CountDeprecationFeaturePolicy(
+          *document, WebFeaturePolicyFeature::kMicrophone);
+    }
+    if (Video()) {
+      Deprecation::CountDeprecationFeaturePolicy(
+          *document, WebFeaturePolicyFeature::kCamera);
+    }
+
     HostsUsingFeatures::CountAnyWorld(
         *document, HostsUsingFeatures::Feature::kGetUserMediaSecureHost);
     return true;

third_party/WebKit/Source/modules/webmidi/NavigatorWebMIDI.cpp

@@ -35,11 +35,13 @@
 #include "core/dom/DOMException.h"
 #include "core/dom/Document.h"
 #include "core/dom/ExecutionContext.h"
+#include "core/frame/Deprecation.h"
 #include "core/frame/LocalFrame.h"
 #include "core/frame/Navigator.h"
 #include "core/frame/UseCounter.h"
 #include "modules/webmidi/MIDIAccessInitializer.h"
 #include "modules/webmidi/MIDIOptions.h"
+#include "public/platform/WebFeaturePolicyFeature.h"
 
 namespace blink {
 
@@ -91,6 +93,9 @@ ScriptPromise NavigatorWebMIDI::requestMIDIAccess(ScriptState* script_state,
   }
   UseCounter::CountCrossOriginIframe(
       document, WebFeature::kRequestMIDIAccessIframe_ObscuredByFootprinting);
+  Deprecation::CountDeprecationFeaturePolicy(
+      document, WebFeaturePolicyFeature::kMidiFeature);
+
   return MIDIAccessInitializer::Start(script_state, options);
 }
 

third_party/WebKit/public/platform/WebFeaturePolicyFeature.h

@@ -10,9 +10,9 @@ namespace blink {
 // These values map to the features which can be controlled by Feature Policy.
 //
 // Features are defined in
-// https://wicg.github.io/feature-policy/#defined-features. Many of these are
-// still under development in blink behind the featurePolicyExperimentalFeatures
-// flag, see getWebFeaturePolicyFeature().
+// https://github.com/WICG/feature-policy/blob/gh-pages/features.md. Many of
+// these are still under development in blink behind the
+// featurePolicyExperimentalFeatures flag, see getWebFeaturePolicyFeature().
 enum class WebFeaturePolicyFeature {
   kNotFound = 0,
   // Controls access to video input devices.

third_party/WebKit/public/platform/web_feature.mojom

@@ -1590,6 +1590,11 @@ enum WebFeature {
   kReportUriMultipleEndpoints = 2052,
   kReportUriSingleEndpoint = 2053,
   kV8ConstructorNonUndefinedPrimitiveReturn = 2054,
+  kEncryptedMediaDisallowedByFeaturePolicyInCrossOriginIframe = 2055,
+  kGeolocationDisallowedByFeaturePolicyInCrossOriginIframe = 2056,
+  kGetUserMediaMicDisallowedByFeaturePolicyInCrossOriginIframe = 2057,
+  kGetUserMediaCameraDisallowedByFeaturePolicyInCrossOriginIframe = 2058,
+  kRequestMIDIAccessDisallowedByFeaturePolicyInCrossOriginIframe = 2059,
 
   // Add new features immediately above this line. Don't change assigned
   // numbers of any item, and don't reuse removed slots.

tools/metrics/histograms/enums.xml

@@ -15766,6 +15766,16 @@ uploading your change for review.  These are checked by presubmit scripts.
   <int value="2052" label="ReportUriMultipleEndpoints"/>
   <int value="2053" label="ReportUriSingleEndpoint"/>
   <int value="2054" label="V8ConstructorNonUndefinedPrimitiveReturn"/>
+  <int value="2055"
+      label="EncryptedMediaDisallowedByFeaturePolicyInCrossOriginIframe"/>
+  <int value="2056"
+      label="GeolocationDisallowedByFeaturePolicyInCrossOriginIframe"/>
+  <int value="2057"
+      label="GetUserMediaMicDisallowedByFeaturePolicyInCrossOriginIframe"/>
+  <int value="2058"
+      label="GetUserMediaCameraDisallowedByFeaturePolicyInCrossOriginIframe"/>
+  <int value="2059"
+      label="RequestMIDIAccessDisallowedByFeaturePolicyInCrossOriginIframe"/>
 </enum>
 
 <enum name="FeedbackSource">