- From: Simon Pieters <simonp@opera.com>
- Date: Thu, 10 Nov 2011 08:24:04 +0100
- To: public-geolocation@w3.org
Consider a page with origin http://example.org which sets document.domain
to 'example.org' and embeds another page with origin
http://foo.example.org which also sets document.domain to 'example.org'.
The outer page then runs a script as follows:
window[0].navigator.getCurrentPosition(success, error);
For which origin should the UA say the request comes from?
getUserMedia says the entry script's origin.
"Prompt the user in a user-agent-specific manner for permission to provide
the entry script's origin with a LocalMediaStream object representing a
media stream."
I think geolocation should use this model also.
Concretely, I'd like the geolocation spec to use some langauge as along
the following lines:
"For both getCurrentPosition and watchPosition, the implementation must
never invoke the successCallback without having first obtained permission
from the user to share location on behalf of the origin of the entry
script that called the method."
with "origin" and "entry script" being defined in the HTML spec.
--
Simon Pieters
Opera Software
Received on Thursday, 10 November 2011 07:22:50 UTC