Re: Restricting API access

On Mon, Jun 15, 2009 at 5:05 PM, Erik Wilde<dret@berkeley.edu> wrote:
> hello doug.
>
> Doug Turner wrote:
>>
>> Mobile Safari (Greg can confirm), Google Gears (including Android), and
>> Firefox 3.5 do not restrict device apis to TLD -- IFRAMEs are allowed to
>> access each geolocation.  I suggested we consider restricting these sorts of
>> APIs at the Device Security Workgroup back in December.  It was more of a
>> strawman position I took to get feedback, and much of the feedback was
>> considerations around what we would break.
>
> just confirming to understand what's going on: this means when a site is
> granted access to location, all 3rd parties behind it will have access to
> the user's location as well, right?

Wrong. Only that site will be granted access to location. Any 3rd
party (i.e. content from any other origin) will have to get permission
from the user separately.

Andrei

Received on Monday, 15 June 2009 16:10:43 UTC