- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Wed, 13 Jan 2016 18:25:35 +0100
- To: Joel Weinberger <jww@chromium.org>
- Cc: Rich Tibbett <rich.tibbett@gmail.com>, WebAppSec WG <public-webappsec@w3.org>
On Wed, Jan 13, 2016 at 6:21 PM, Joel Weinberger <jww@chromium.org> wrote: > Part of the issue is that even if a frame does 'everything' right (and I > don't really know what 'everything' would mean, so as Anne requested, it > would be good to make that clear), it would be extremely difficult to > present permission decisions to the user in a meaningful way. Origins are > already hard enough to present, and if you have a secure origin requesting a > permission within a secure frame, how would the user agent present this in a > way to meaningfully convey the weird security layering going on? Yeah, allowing permission prompts from origins that do not match the origin of the address bar has been a big mistake. I hope we can phase that out over time. -- https://annevankesteren.nl/
Received on Wednesday, 13 January 2016 17:25:59 UTC