W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: Restricting API access

From: Matt Womer <mdw@w3.org>
Date: Mon, 15 Jun 2009 13:40:25 -0400
Message-Id: <67A247FE-8425-4010-9E6F-F269AE845A6A@w3.org>
To: public-webapps@w3.org, Geolocation Working Group WG <public-geolocation@w3.org>, public-device-apis@w3.org
Hi all,

Within the Geolocation Working Group we've been discussing a few  
different methods of securing the location API, one of which is  
described below by Doug Turner [1]:

On May 21, 2009, at 6:02 PM, Doug Turner wrote:

> got some feedback on this.  this isn't how it works today, but I  
> think it is the way it should work in the future. Even more so, I  
> have been considering restricting device apis (like geolocation) to  
> top level documents only and prevent iframes from accessing this  
> APIs.  I did get some push back in Dec when I suggested this at our  
> w3c devices workshop (are the notes anywhere for this? thomas?).   
> This will break many of the sites like igoogle and others that embed  
> content from remote origins.  However such sites, could use  
> something like PostMessage to explicitly send data.
>
> Is this an overkill? Thoughts?

This seems like an idea on which both WebApps and the Device API and  
Policy WG's would be interested in contributing to a discussion.   
Already some members of those groups have already been contributing in  
this thread [2].  (We're tracking this as ISSUE-9 [3])

Thank you,

-Matt Womer


[1] http://lists.w3.org/Archives/Public/public-geolocation/2009May/0053.html

[2] http://lists.w3.org/Archives/Public/public-geolocation/2009May/0055.html

[3] http://www.w3.org/2008/geolocation/track/issues/9
Received on Monday, 15 June 2009 17:41:50 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:31 GMT