Description
We would like to explore disabling midi by default for cross-origin iframes. The idea is that it would be possible for the embedder to re-enable midi using the proposed Feature Policy mechanism.
The change is proposed mainly for the sake of security (see the doc below) but incidentally, this change may help with the current misuse of the midi API for fingerprinting.
Midi already has a failure mode that occurs as a result of the user denying permission. This same failure mode can be reused but we probably still want to alter the spec to include the additional check to see if the feature is allowed by Feature Policy.
Note that this issue is mainly just intended to start the discussion about this change :) Several things would have to happen before we could land it, including Feature Policy being nailed down. The motivations for this change and a discussion of compatibility risk can be found here: https://docs.google.com/document/d/13dp9xWVyGM8THAQohDOT2mMOTSGLxEhSZEvgpmVLrxU/edit