Re: Restricting API access

Hi all,

Within the Geolocation Working Group we've been discussing a few  
different methods of securing the location API, one of which is  
described below by Doug Turner [1]:

On May 21, 2009, at 6:02 PM, Doug Turner wrote:

> got some feedback on this.  this isn't how it works today, but I  
> think it is the way it should work in the future. Even more so, I  
> have been considering restricting device apis (like geolocation) to  
> top level documents only and prevent iframes from accessing this  
> APIs.  I did get some push back in Dec when I suggested this at our  
> w3c devices workshop (are the notes anywhere for this? thomas?).   
> This will break many of the sites like igoogle and others that embed  
> content from remote origins.  However such sites, could use  
> something like PostMessage to explicitly send data.
>
> Is this an overkill? Thoughts?

This seems like an idea on which both WebApps and the Device API and  
Policy WG's would be interested in contributing to a discussion.   
Already some members of those groups have already been contributing in  
this thread [2].  (We're tracking this as ISSUE-9 [3])

Thank you,

-Matt Womer


[1] http://lists.w3.org/Archives/Public/public-geolocation/2009May/0053.html

[2] http://lists.w3.org/Archives/Public/public-geolocation/2009May/0055.html

[3] http://www.w3.org/2008/geolocation/track/issues/9

Received on Monday, 15 June 2009 17:40:51 UTC