[deviceorientation] Same origin S&P requirement conflicts with Permissions Policy integration (#133)

rakuco has just created a new issue for https://github.com/w3c/deviceorientation:

== Same origin S&P requirement conflicts with Permissions Policy integration ==
With the official integration of the Permissions Policy bits in #121, we now have contradicting requirements in the spec:
* The presence of the Permissions Policy integration means usage of the Device Orientation API can be allowed in third-party iframes provided that the right tokens are in place (also subject to the requestPermission()/Permissions API requirements added in #123).
* The "Security and privacy considerations" section contains the following excerpt: _"fire events only on the top-level traversable's active window and child navigables' active windows whose relevant settings object's origin is same origin with the top-level traversable's active window's relevant settings object's origin"_, which is a complicated but more spec-compliant wording of the [previous version](https://www.w3.org/TR/2022/WD-orientation-event-20220610/#security-and-privacy), _"fire events only on the top-level browsing context and same-origin nested browsing contexts"_.

The same-origin requirement was added back in 2016 with #25, and it was implemented by Gecko in https://bugzilla.mozilla.org/show_bug.cgi?id=1197901 (change mirrored in https://github.com/mozilla/gecko-dev/commit/bdb1f6d5c64b200ce69afe4e2a764d20e59fd3b9).

As far as I can see, this requirement was never implemented in Blink, but it did add Permissions Policy integration in early 2018 (https://bugs.chromium.org/p/chromium/issues/detail?id=796894). When WebKit implemented this API a few years later, they did add Permissions Policy integration as well, so we have 2 engines implementing the Permissions Policy integration and 1 implementing the same-origin requirement.

My proposal is to remove that item from the S&P section and add a new item referring to the Permissions API and Permissions Policy integration requirements. The current Permissions Policy requirements (with features whose default allowlist is "self") acts as a superset of the original requirement -- AFAICS, an implementation that switches from one requirement to the other will continue allowing the exact same set of sites (and this is without taking the Permissions API integration into consideration).

Please view or discuss this issue at https://github.com/w3c/deviceorientation/issues/133 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Tuesday, 30 January 2024 12:16:05 UTC