Browsing contexts and permissions in sysinfo

(Copying in Jochen Eisinger who raised this point at the privacy workshop; Jochen, please feel free to comment.)

To archive the text for sysinfo that we were looking at in the etherpad:

> A user agent MUST NOT provide any system information related to these property groups to Web sites without the express permission of the user. A user agent MUST acquire permission through a user interface, unless they have prearranged trust relationships with users, as described below. The user interface MUST include the origin of the document in whose context the callback will be invoked. Those permissions that are acquired through the user interface and that are preserved beyond the current browsing session (i.e. beyond the time when the browsing context, as defined in [[HTML5]], is navigated to another URL) MUST be revocable and a user agent MUST respect revoked permissions.
> 
> A user agent MUST separately acquire permission through the user interface when the callback is invoked in the context of a document object that is presented in a nested browsing context, if the origin of the nested browsing context is different from the top-level browsing context's origin. In this case, the permission MUST be scoped to the pair consisting of the top-level browsing context's origin, and the origin within which the callback is executed.
> 
> Example: Alice has granted a persistent permission for an API to be accessed by www.example.com.  Alice now navigates to evil.example.net, which includes www.example.com within an iframe. In this case, the user agent must separately obtain authorization from the user, since the API is used within a nested browsing context (the iframe). 

		-- http://ietherpad.com/T3KEXexcQg


--
Thomas Roessler, W3C  <tlr@w3.org>  (@roessler)

Received on Thursday, 15 July 2010 12:30:36 UTC