- From: Chris Palmer <palmer@google.com>
- Date: Wed, 16 Mar 2016 12:54:17 -0700
- To: Richard Barnes <rbarnes@mozilla.com>
- Cc: Raymes Khoury <raymes@google.com>, WebAppSec WG <public-webappsec@w3.org>
Received on Wednesday, 16 March 2016 19:54:46 UTC
On Wed, Mar 16, 2016 at 7:24 AM, Richard Barnes <rbarnes@mozilla.com> wrote: Do we even need an API here? It seems like you could achieve the same > effect with less back-and-forth / code changes by stipulating that > permissions requested from iframe are only valid in the scope of the > top-level page. That might make some iframed stuff sad, but you could > still get full cross-site-usable permissions if you get users to visit your > site. > There would still be the situation that an embedee could cause a bad experience for a person who is using the embedder origin, by requesting lots of permissions. This is annoying, causes permission request fatigue, and reflects badly on the embedder (since we believe, on evidence, that people only perceive the embedder). > I admit that this doesn't have a great transition story. Do you have any > telemetry on how often permissions-requesting things are used from > iframes? That will bound our ability to do stuff in any case. > See the Usage section in https://docs.google.com/document/d/1iaocsSuVrU11FFzZwy7EnJNOwxhAHMroWSOEERw5hO0/edit#heading=h.sn9xlweol7fm. the good news is that usage from cross-origin iframes is low, so we have a chance now to get this right before we have a large installed base of iframes depending on being able to ask for permissions. It's not 0, but it's not yet high.
Received on Wednesday, 16 March 2016 19:54:46 UTC