- From: Mounir Lamouri <notifications@github.com>
- Date: Thu, 10 Dec 2015 16:34:14 -0800
- To: w3c/permissions <permissions@noreply.github.com>
- Message-ID: <w3c/permissions/issues/55/163795731@github.com>
I don't think we are in a situation where we can realistically tell UA the exact rules regarding permission handling. Every browser have their own way to deal with permissions. All use the requesting origins. Some like Chromium based browsers might use the embedder's origin. For example, Chrome uses the embedder's origin for the geolocation API while last I checked Firefox doesn't. However, at the time of writing, Chrome doesn't use the embedder's origin for Notifications permission, so does Firefox. Even if all browsers had the same behaviour, browsers might want to evolve their permission handling. For example, Chrome and Firefox are slowly deprecating some APIs on insecure origins. A direct consequence would be that the API will be exposed as denied regardless of the origin if it isn't considered secure. We can imagine that a browser might stop allowing embedded origins to access some API. What the Permissions API does is exposing whether the website has access to the API in the current context. The browser implementation of the Permissions API should take into account whether the embedder's origin is used in that decision. This said, I'm not sure how and why the website should be aware of this. --- Reply to this email directly or view it on GitHub: https://github.com/w3c/permissions/issues/55#issuecomment-163795731
Received on Friday, 11 December 2015 00:34:48 UTC