- From: Simon Pieters <simonp@opera.com>
- Date: Thu, 10 Nov 2011 16:26:28 +0100
- To: public-geolocation <public-geolocation@w3.org>, "Steve Block" <steveblock@google.com>
On Thu, 10 Nov 2011 15:40:58 +0100, Steve Block <steveblock@google.com> wrote: > Hi Simon, > > Note that the Geolocation spec already specifies that the permission > UI should use the host component of the document's URI [1]. We agreed > some time ago to use just the host, not the complete origin. It says "The user interface must include the host component of the document's URI [URI]." However, what to show in the UI is not necessarily the same as what to use as the "key" when storing the permission. Chrome uses origin (actually a pair of origins if the page is embedded in a cross-origin iframe), while Firefox uses the domain name, and Opera currently uses the domain name also. > I think you're right that it would be good to clarify the behavior in > the case where script in one document accesses the Geolocation object > in another document. > >> with "origin" and "entry script" being defined in the HTML spec. > Do you mean the W3C HTML5 spec [2] ? Right. > If I understand this correctly, under your proposal of using 'entry > script', the relevant host for the purposes of Geolocation permissions > in your example is that of the outer document. Yes. > If the code were ... > > window[0].myGetCurrentPositionWrapper(); > > then the relevant host would be that of window[0]'s document, ie the > document corresponding to the Geolocation object. No. "entry script" is still the outer script in this case, I think. > Thanks, > Steve > > [1] http://dev.w3.org/geo/api/spec-source.html#privacy_for_uas > [2] http://dev.w3.org/html5/spec/Overview.html#entry-script ? -- Simon Pieters Opera Software
Received on Thursday, 10 November 2011 15:25:12 UTC