Deprecate obsolete permissions policy directives

`speaker`, `vibrate`, and `vr` were [listed as policy-controlled features][1] around the time when #33439 was first written (2018-07-25). However, `vibrate` was removed in w3c/webappsec-permissions-policy@b7271ac0f2, `vr` was changed to `xr` in w3c/webappsec-permissions-policy@bec5ce6547, and `speaker` was removed in w3c/webappsec-permissions-policy@18707d396e. (And `xr` was later changed to `xr-spatial-tracking`, and still only has [experimental support][2].) Therefore, this commit deprecates these permissions policy directives. [1]: 6d8bbbe738/features.md (policy-controlled-features) [2]: 432a1532c9/features.md (standardized-features)
2022-10-05 11:55:05 -05:00 · 2022-10-05 11:55:05 -05:00 · 1466b44299
commit 1466b44299
parent 2a9f8aeb24
3 changed files with 39 additions and 4 deletions
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@ -1,3 +1,12 @@
+*   The `speaker`, `vibrate`, and `vr` permissions policy directives are now
+    deprecated.
+
+    There is no browser support for these directives, and no plan for browser
+    support in the future. You can just remove these directives from your
+    application.
+
+    *Jonathan Hefner*
+
 *   Added the `:status` option to `assert_redirected_to` to specify the precise
    HTTP status of the redirect. Defaults to `:redirect` for backwards
    compatibility.
--- a/actionpack/lib/action_dispatch/http/permissions_policy.rb
+++ b/actionpack/lib/action_dispatch/http/permissions_policy.rb
@ -104,11 +104,8 @@ def permissions_policy=(policy)
      picture_in_picture:   "picture-in-picture",
      screen_wake_lock:     "screen-wake-lock",
      serial:               "serial",
-      speaker:              "speaker",
      sync_xhr:             "sync-xhr",
      usb:                  "usb",
-      vibrate:              "vibrate",
-      vr:                   "vr",
      web_share:            "web-share",
    }.freeze

@ -135,6 +132,25 @@ def initialize_copy(other)
      end
    end

+    %w[speaker vibrate vr].each do |directive|
+      define_method(directive) do |*sources|
+        ActiveSupport::Deprecation.warn(<<~MSG)
+          The `#{directive}` permissions policy directive is deprecated
+          and will be removed in Rails 7.2.
+
+          There is no browser support for this directive, and no plan
+          for browser support in the future. You can just remove this
+          directive from your application.
+        MSG
+
+        if sources.first
+          @directives[directive] = apply_mappings(sources)
+        else
+          @directives.delete(directive)
+        end
+      end
+    end
+
    def build(context = nil)
      build_directives(context).compact.join("; ")
    end
--- a/actionpack/test/dispatch/permissions_policy_test.rb
+++ b/actionpack/test/dispatch/permissions_policy_test.rb
@ -34,11 +34,21 @@ def test_multiple_directives_for_multiple_directives

  def test_invalid_directive_source
    exception = assert_raises(ArgumentError) do
-      @policy.vr [:non_existent]
+      @policy.geolocation [:non_existent]
    end

    assert_equal "Invalid HTTP permissions policy source: [:non_existent]", exception.message
  end
+
+  def test_deprecated_directives
+    assert_deprecated { @policy.speaker :self }
+    assert_deprecated { @policy.vibrate :self }
+    assert_deprecated { @policy.vr :self }
+
+    assert_not_deprecated do
+      assert_equal "speaker 'self'; vibrate 'self'; vr 'self'", @policy.build
+    end
+  end
 end

 class PermissionsPolicyIntegrationTest < ActionDispatch::IntegrationTest