W3C home > Mailing lists > Public > public-geolocation@w3.org > November 2011

Permission on behalf of whom

From: Simon Pieters <simonp@opera.com>
Date: Thu, 10 Nov 2011 08:24:04 +0100
To: public-geolocation@w3.org
Message-ID: <op.v4pyuekfidj3kv@simon-pieterss-macbook.local>
Consider a page with origin http://example.org which sets document.domain  
to 'example.org' and embeds another page with origin  
http://foo.example.org which also sets document.domain to 'example.org'.  
The outer page then runs a script as follows:

    window[0].navigator.getCurrentPosition(success, error);

For which origin should the UA say the request comes from?

getUserMedia says the entry script's origin.

"Prompt the user in a user-agent-specific manner for permission to provide  
the entry script's origin with a LocalMediaStream object representing a  
media stream."

I think geolocation should use this model also.

Concretely, I'd like the geolocation spec to use some langauge as along  
the following lines:

"For both getCurrentPosition and watchPosition, the implementation must  
never invoke the successCallback without having first obtained permission  
 from the user to share location on behalf of the origin of the entry  
script that called the method."

with "origin" and "entry script" being defined in the HTML spec.

Simon Pieters
Opera Software
Received on Thursday, 10 November 2011 07:22:50 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:33:58 UTC