W3C home > Mailing lists > Public > public-device-apis-log@w3.org > January 2018

Re: [battery] Allow use in same-origin children, add Feature Policy integration

From: Anssi Kostiainen via GitHub <sysbot+gh@w3.org>
Date: Wed, 10 Jan 2018 13:12:59 +0000
To: public-device-apis-log@w3.org
Message-ID: <issue_comment.created-356598304-1515589944-sysbot+gh@w3.org>
@mounirlamouri any precedence on how you've handled similar situations in the past? I assume there are occurrences of APIs being restricted to secure origin.

Indeed without knowing which websites are using the feature in ways that'd be blocked, we don't know whether they'd be able to migrate over to HTTPS and/or add the required Feature Policy tokens to the embedder page. My hunch is requiring FP would help weed out possible malicious usage.

Adding these restrictions might help other implementers to move forward with the feature, so I suggest we analyze this more and seek feedback from other browser vendors too.

Would logging warnings to console on insecure or cross-origin usage help us gather data on the nature of usage in Chrome? I'd assume impacted sites having legitimate usage would let us know if we'd point them to this issue in the warning message.

Any further help and ideas appreciated :-)

-- 
GitHub Notification of comment by anssiko
Please view or discuss this issue at https://github.com/w3c/battery/pull/13#issuecomment-356598304 using your GitHub account
Received on Wednesday, 10 January 2018 13:16:38 UTC

This archive was generated by hypermail 2.4.0 : Monday, 4 July 2022 12:47:55 UTC