W3C home > Mailing lists > Public > public-media-capture-logs@w3.org > August 2018

Re: [mediacapture-main] What does it mean to 'combine' origins?

From: Jan-Ivar Bruaroey via GitHub <sysbot+gh@w3.org>
Date: Thu, 30 Aug 2018 17:40:51 +0000
To: public-media-capture-logs@w3.org
Message-ID: <issue_comment.created-417405598-1535650849-sysbot+gh@w3.org>
Yes, I recall the intent being to "double-key" origins so a user who grants persistent permission to

 - bar.com in iframe of foo.com website

does not implicitly granted permission to either

 - bar.com website
 - foo.com website

...because it wouldn't be POLA, since most users don't understand iframes or read URLs in prompts.

Feature Policy should simplify, making foo.com responsible for bar.com, which means users grant to:

 - bar.com in iframe of foo.com website
 - foo.com website

but not

 - bar.com website

Do I have that right, @martinthomson ? 

Someone should probably write succinctly what the plan is in https://github.com/w3c/permissions/issues/176.

-- 
GitHub Notification of comment by jan-ivar
Please view or discuss this issue at https://github.com/w3c/mediacapture-main/issues/532#issuecomment-417405598 using your GitHub account
Received on Thursday, 30 August 2018 17:40:58 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 16:27:34 UTC