- From: Jesse Ruderman <jruderman@gmail.com>
- Date: Thu, 17 Mar 2016 17:29:16 -0700
- To: public-webappsec@w3.org
> the UA MUST prevent the embedee from triggering permission prompts to the user This is reasonable. The site has unnecessarily created a confusing situation. The embedder could have requested the permission itself, or opened a new tab showing only the embedee, depending on need and trust relationships. > and the UA SHOULD prevent the embedee from acquiring any permissions based on a prior decision made by the user This is futile. The embedee can use a service worker. Or it can open a new tab where it is the top origin, quickly do what it needs, and close the tab before you notice it was ever open. (I hope Google Maps would use this tab trick! Having every embedder request geolocation permission would be a disaster for both usability and security.)
Received on Friday, 18 March 2016 10:25:03 UTC