Guard against Chrome moving Gamepad to HTTPS secure origin #20890
Conversation
…order to access gamepad data. Therefore constrain HTML5 Gamepad API functions to return EMSCRIPTEN_RESULT_NOT_SUPPORTED when getGamepads() does not work but throws an exception.
|
This PR seems to expect that the function can throw, but the actual behavior is that the function returns with an empty array for insecure contexts. See https://wpt.fyi/results/gamepad/gamepad-secure-context.html?label=experimental&label=master&aligned and https://hacks.mozilla.org/2020/07/securing-gamepad-api/. Edit: Although somehow Chrome is broken and returns an array filled with null. 🤔 |
|
Hey @saschanaz thanks for the pointer. I am operating based on this report that we have received: https://forum.unity.com/threads/crash-on-facebook-instant-games-due-to-gamepads-permission.1524454/ There it looks clear that Chrome has thrown an exception from attempting to call It would be really good to get a clarification to this from Google. I'll try to ping some people. |
|
Thanks for the context! That seems irrelevant to the secure context but about the permission policy, e.g. when the code runs within an iframe without explicitly allowing gamepad permission. See: https://w3c.github.io/gamepad/#dom-navigator-getgamepads
It does sounds right to handle the error in that case. I was confused by the title of the PR 😁 |
|
Ah, right. That is a good point, I confused HTTPS and iframe security policy in the exception message. I get word from Chrome team that some time in the future navigator.getGamePads() might move behind HTTPS, so having this PR land helps pave for that way. |
|
Good news, looks like the major vendors are interested in rolling back the https requirement! |
Chrome has (apparently?) moved to requiring a secure HTTPS origin in order to access gamepad data. Therefore constrain HTML5 Gamepad API functions to return EMSCRIPTEN_RESULT_NOT_SUPPORTED when getGamepads() does not work but throws an exception.
W3C Github entry that I found related w3c/gamepad#145 .
Caniuse info is partial and does not mention the requirement of a secure origin: https://caniuse.com/gamepad
Oddly MDN does not say that Chrome would require secure origin, but it instead documents that Firefox requires a secure origin. https://developer.mozilla.org/en-US/docs/Web/API/Navigator/getGamepads
This change has a potential to break a lot of Emscripten compiled web pages, since these functions were never developed with the anticipation that navigator.getGamepads() could throw. (the spec stated no such wording in circa 2014 or so)