Category: Embedded Client Apps (Developers, Vendors, and Administrators)
Summary: Apps now supports configurable PermissionsPolicy. This is an emerging standard that is mostly being supported by Chrome but also has been implemented in certain circumstances in other browsers. For a while now, we’ve added a few of these by default for all apps to help ease browser inconsistencies. The spec and browser support is now to a place where we can make these configurable. So, we’ve toggled the behavior of adding these by default and are moving to opt-in. The available permissions are: camera, microphone, geolocation, clipboard-write, fullscreen, display-capture.
Context: We have added the ability to manually opt into specific permissions on a per-app basis. As such, we will be removing the automatic insertion of the following permissions: camera, microphone, and geolocation. Additionally we are requiring that App vendors and Administrators manually opt into the minimum required permissions required by each app. The principle of least privilege should always be followed to ensure a balance among security, features, and privacy. These permissions will be added to the iframe's permissions policy for origins matching the app's url (i.e. the default behavior of allowlist).
Impact: Upon removal of the automatic insertion of the default permissions, usage of the microphone, camera, and geolocation from within Embedded Client Applications will be blocked unless explicitly allowed. The new permissions you can also enable are clipboard-write, fullscreen, and display-capture.
Ad-hoc Embedded Client App Developers/Administrators:
Assess which permissions your Embedded Client App needs to support. If needed, go to Admin -> Integrations. Open your app definition, navigate to the Configuration tab, and add permissions to the Iframe Feature/Permissions Policy field.
Premium App Vendor/Partners:
Assess which permissions your Premium App needs to support. If needed, contact email@example.com to have your static permissions options updated.
Date of Change: On 1/19/2022, we will disable the automatic insertion of the camera, microphone, and geolocation permissions for all apps. At this point, apps will need to explicitly opt into these permissions, otherwise they will be blocked.
Impacted APIs: This change primarily affects App configuration and is not an API change per se.
If working with integrations dynamically, the permissions can be configured via the following endpoint: