- From: Erik Wilde <dret@berkeley.edu>
- Date: Mon, 15 Jun 2009 09:14:41 -0700
- To: "public-geolocation@w3.org" <public-geolocation@w3.org>
Andrei Popescu wrote: > On Mon, Jun 15, 2009 at 5:05 PM, Erik Wilde<dret@berkeley.edu> wrote: >> hello doug. >>> Mobile Safari (Greg can confirm), Google Gears (including Android), and >>> Firefox 3.5 do not restrict device apis to TLD -- IFRAMEs are allowed to >>> access each geolocation. I suggested we consider restricting these sorts of >>> APIs at the Device Security Workgroup back in December. It was more of a >>> strawman position I took to get feedback, and much of the feedback was >>> considerations around what we would break. >> just confirming to understand what's going on: this means when a site is >> granted access to location, all 3rd parties behind it will have access to >> the user's location as well, right? > Wrong. Only that site will be granted access to location. Any 3rd > party (i.e. content from any other origin) will have to get permission > from the user separately. that's really great to hear! and does that policy apply to 3rd party scripts (i.e., not just iframes) as well? doug wrote that the current implementations "do not restrict device apis to TLD - IFRAMEs are allowed to access each geolocation", how does that relate to your comment that no such access is possible? thanks, dret.
Received on Monday, 15 June 2009 16:15:18 UTC