W3C home > Mailing lists > Public > public-geolocation@w3.org > June 2009

Re: Restricting API access

From: Erik Wilde <dret@berkeley.edu>
Date: Mon, 15 Jun 2009 09:14:41 -0700
Message-ID: <4A367371.6010906@berkeley.edu>
To: "public-geolocation@w3.org" <public-geolocation@w3.org>
Andrei Popescu wrote:
> On Mon, Jun 15, 2009 at 5:05 PM, Erik Wilde<dret@berkeley.edu> wrote:
>> hello doug.
>>> Mobile Safari (Greg can confirm), Google Gears (including Android), and
>>> Firefox 3.5 do not restrict device apis to TLD -- IFRAMEs are allowed to
>>> access each geolocation.  I suggested we consider restricting these sorts of
>>> APIs at the Device Security Workgroup back in December.  It was more of a
>>> strawman position I took to get feedback, and much of the feedback was
>>> considerations around what we would break.
>> just confirming to understand what's going on: this means when a site is
>> granted access to location, all 3rd parties behind it will have access to
>> the user's location as well, right?
> Wrong. Only that site will be granted access to location. Any 3rd
> party (i.e. content from any other origin) will have to get permission
> from the user separately.

that's really great to hear! and does that policy apply to 3rd party 
scripts (i.e., not just iframes) as well? doug wrote that the current 
implementations "do not restrict device apis to TLD - IFRAMEs are 
allowed to access each geolocation", how does that relate to your 
comment that no such access is possible?

thanks,

dret.
Received on Monday, 15 June 2009 16:15:18 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:50:56 UTC