Support of HTTP Feature Policies
I'd like to discuss the support of HTTP Feature Policies.
Different browsers seem to have different levels of default strictness when it comes to requests from within iframes. For instance, when using Chrome, even without having the iframe property allow="microphone *" set, it will answer the request from H5P.AudioRecorder. Firefox does not, navigator.mediaDevices.getUserMedia is rejected, throws a NotAllowedError and H5P.AudioRecorder interprets this result as an encryption problem - even if it also listed a blocked microphone as a possible cause, without the proper feature policy the user wouldn't even be able to allow microphone access - leading to this issue on JIRA and likely this one as well where the microphone technically is blocked, but can't be unblocked.
There may be similar problems with missing values for fullscreen and autoplay, too, and currently I am working on a content type that will make use of camera and (magnetometer and geolocation in a future version) as well and will run into the same issues. Maybe someone else comes up with a cool content type that wants to use the accelerometer, etc.
This could easily be fixed by setting the required allow properties for features within H5P's iframe - a one line change in the plugins. If there are explicit server-side restrictions that are stricter than the iframes feature policy, the latter will be overruled. No problem here. The user will still be prompted to give permission to access the required features. A slighter problem possibly, but it's still the user's choice.
1) Are there any concerns about allowing fullscreen, microphone, camera, geolocation and magnetometer overall in H5P's iframe?
Surely, a more sophisticated solution would be to add a feature property to the library definition of a content type library that holds all permissions that are required, to let H5P check those (at least for the content type, ideally for all children, too) and to only set those values that are required.
2) Does this amendmend seem to be vital for a pull request to be accepted?