Re: Request for comments: Permission Delegation to Iframes from Richard Barnes on 2016-03-16 (public-webappsec@w3.org from March 2016)

From: Richard Barnes <rbarnes@mozilla.com>
Date: Wed, 16 Mar 2016 10:24:46 -0400
To: Raymes Khoury <raymes@google.com>
Cc: WebAppSec WG <public-webappsec@w3.org>, Chris Palmer <palmer@google.com>
Message-ID: <CAOAcki_tPt-Fwgjdo4VysWbHUrfwEHQwDdtD388yk258MeJXpg@mail.gmail.com>

Do we even need an API here?  It seems like you could achieve the same
effect with less back-and-forth / code changes by stipulating that
permissions requested from iframe are only valid in the scope of the
top-level page.  That might make some iframed stuff sad, but you could
still get full cross-site-usable permissions if you get users to visit your
site.

I admit that this doesn't have a great transition story.  Do you have any
telemetry on how often permissions-requesting things are used from
iframes?  That will bound our ability to do stuff in any case.

On Tue, Mar 15, 2016 at 8:20 PM, Raymes Khoury <raymes@google.com> wrote:

> Hi all,
>
> We're looking for comments and feedback on a proposal aimed at making the
> permissions model for iframes more understandable for people. User research
> suggests that currently people don't have a good understanding of who they
> are granting access to when permission requests come from iframes. Also,
> the way permission decisions are scoped for iframes is inconsistent (across
> permissions and across UAs), making behavior hard to predict. It's also
> difficult to build simple UI to communicate and manage iframe permissions.
>
> The idea of the proposal is to require an embedding origin to delegate
> permission to an iframe in order for the iframe to get access. Sites in
> iframes would not be able to access permissions unless they were delegated.
> This means that users would only be required to make permission decisions
> about the top level origin, which is simpler to understand. It also allows
> for simpler permission management UI.
>
> We've converted our initial proposal doc [1] into a draft spec, however
> this is far from final and we're seeking more discussion, feedback and
> other contributions from those interested:
>
> https://noncombatant.github.io/permission-delegation-api/
>
> The draft includes motivations, a discussion of security considerations
> and risks, requirements for delegation, as well as an iframe attribute and
> JS API to delegate permissions.
>
> Thanks,
> Raymes
>
> [1]
> https://docs.google.com/document/d/1iaocsSuVrU11FFzZwy7EnJNOwxhAHMroWSOEERw5hO0
>

Received on Wednesday, 16 March 2016 14:25:15 UTC