[screen-wake-lock] Do not use allow="screen-wake-lock" for iframes (#277) from Pranjal Jumde via GitHub on 2020-08-18 (public-device-apis-log@w3.org from August 2020)

From: Pranjal Jumde via GitHub <sysbot+gh@w3.org>
Date: Tue, 18 Aug 2020 22:46:51 +0000
To: public-device-apis-log@w3.org
Message-ID: <issues.opened-681386697-1597790810-sysbot+gh@w3.org>

jumde has just created a new issue for https://github.com/w3c/screen-wake-lock:

== Do not use allow="screen-wake-lock" for iframes ==
It would be better to use only `Feature Policy` to determine which third parties have access to screen-wake-lock

```
{"screen-wake-lock": []}
```

Attributes of iframes can be easily modified by javascript. So a simple XSS can enable `screen-wake-lock` for all third-party iframes on a site.

Please view or discuss this issue at https://github.com/w3c/screen-wake-lock/issues/277 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Tuesday, 18 August 2020 22:46:53 UTC