- From: Raphael Kubo da Costa via GitHub <sysbot+gh@w3.org>
- Date: Wed, 31 Jan 2024 10:27:10 +0000
- To: public-geolocation@w3.org
rakuco has just submitted a new pull request for https://github.com/w3c/deviceorientation: == Replace same-origin Security & Privacy requirement with Permissions Policy one == This addresses a conflict that was introduced in #121: - The presence of the Permissions Policy integration means usage of the Device Orientation API can be allowed in third-party iframes provided that the right tokens are in place. - The "Security and privacy considerations" section contains a requirement that events are fired only on child navigables that are same-origin with the top-level traversable. The latter was introduced in #25 and served as a stop-gap measure before Permissions Policy integration was added. The current implementation status is: - Blink never implemented the same-origin requirement, but added Permissions Policy integration in 2018. - WebKit has always implemented Permissions Policy integration. - Gecko implements the same-origin requirement (see Mozilla bug 1197901). This means we can safely replace the same-origin requirement with a requirement to support the Permissions Policy integration, as switching from one to the other is transparent in the sense that the exact same set of websites that worked before will continue to work with the change, as the features we define have a default allowlist of "self". Fixes #133 See https://github.com/w3c/deviceorientation/pull/136 -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 31 January 2024 10:27:12 UTC