To enable consistent treatment of permission requests in iframes with feature policy, we will deny requests for notification permission in cross-origin iframes.

Chrome announced the same change over 2 years ago, though strangely in my Canary they are still showing the deprecation notice.

Our Telemetry shows that usage is very low at 0.03%, so we should have little to no issues with breakage.

I am relatively confident we decided to do this without the option for the embedder to delegate the notification permission (i.e., without "Feature Policy") as it seems extremely unlikely that embedder A would want to allow embeddee B to create notifications attributed to A. (And if they were attributed to B it would violate the UX simplifications goal as we'd show B to the user whereas the goal is to almost exclusively show A.) If A wants B to create notifications attributed to A it can still do so via a custom postMessage() API.

Backed out 2 changesets (Bug 1560741) for mochitest failures at test_permission_isHandlingUserInput.xul.

Backout: https://hg.mozilla.org/integration/autoland/rev/46b45c5243e972afb0ed9fb47b9d512bacc6cc06

Push that started the failures: https://treeherder.mozilla.org/#/jobs?repo=autoland&resultStatus=success%2Ctestfailed%2Cbusted%2Cexception&revision=c08aa2078829f2826a58a34ea60b7bca23008bd7&selectedJob=261183008

Failure log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=261183008&repo=autoland&lineNumber=49993

https://hg.mozilla.org/mozilla-central/rev/b7c91018f87e
https://hg.mozilla.org/mozilla-central/rev/efe5dc48aa87

Posted site compatibility note: https://www.fxsitecompat.dev/en-CA/docs/2019/notification-permission-requests-from-cross-origin-iframe-are-now-disallowed/

I've documented this behavior on MDN; see https://github.com/mdn/sprints/issues/2464#issuecomment-564668240 for the full details.

Let me know if you've like to see any further updates; thanks!