Re: [mediacapture-main] What does it mean to 'combine' origins? from Jan-Ivar Bruaroey via GitHub on 2018-08-30 (public-media-capture-logs@w3.org from August 2018)

From: Jan-Ivar Bruaroey via GitHub <sysbot+gh@w3.org>
Date: Thu, 30 Aug 2018 17:40:51 +0000
To: public-media-capture-logs@w3.org
Message-ID: <issue_comment.created-417405598-1535650849-sysbot+gh@w3.org>

Yes, I recall the intent being to "double-key" origins so a user who grants persistent permission to

 - bar.com in iframe of foo.com website

does not implicitly granted permission to either

 - bar.com website
 - foo.com website

...because it wouldn't be POLA, since most users don't understand iframes or read URLs in prompts.

Feature Policy should simplify, making foo.com responsible for bar.com, which means users grant to:

 - bar.com in iframe of foo.com website
 - foo.com website

but not

 - bar.com website

Do I have that right, @martinthomson ? 

Someone should probably write succinctly what the plan is in https://github.com/w3c/permissions/issues/176.

-- 
GitHub Notification of comment by jan-ivar
Please view or discuss this issue at https://github.com/w3c/mediacapture-main/issues/532#issuecomment-417405598 using your GitHub account

Received on Thursday, 30 August 2018 17:40:58 UTC