RE: ISSUE-187 - What is the right approach to exception handling & ISSUE-185



The SS and WW UGE  situations are different because in the former a  frame
can get an exception for itself but only in the context of the frame's
domain when (later) it is the top-level origin. In the WW case the exception
applies everywhere so the effect is greater.


Letting a frame make an exception for itself when it is accessed later as a
first-party is relatively benign, but seems a bit pointless.  Maybe the
top-level origin compare should be for both (if we decide we need it).






From: David Singer [] 
Sent: 03 December 2012 23:03
Subject: Re: ISSUE-187 - What is the right approach to exception handling &


Hi Mike


this is an aspect that didn't actually change in this re-write, but
responding nonetheless.


On Dec 2, 2012, at 3:28 , Mike O'Neill <> wrote:



I think the new API is fine for site-specific exceptions, because we are
putting the responsibility to get user agreement on sites where it is
legally anyway.


The sentence in 6.4.1 (The execution of this API and the use of the
resulting permission (if granted) use the 'implicit' parameter, when the API
is called, the document origin. This forms the first part of the duplet in
the logical model, and hence in operation will be compared with the
top-level origin) makes it clear that only script in the context of the
top-level origin can register a UGE for the site. 


No, that's not quite it.


To *register* the exception, in either case, the call is made from a
document whose *document origin* is the site registering.  The top-level
origin is not considered at the time of the *call*.


For site-wide exceptions, that origin is entered into the database as the
first parameter, which is later compared to the *top-level origin* when an
HTTP request is being made.

If script in third-party embedded iframe makes a SS UGE call, the implicit
document origin points to the third-party domain so the exception applies
there and not at the parent window's origin.


Correct.  It's possible for, for example, a consortium of web sites to make
a page of frames, each of which gets user-consent and then registers their


Unfortunately this is not true for the web-wide API so it is possible that
script inside a child iframe could register an exception, which may not
reflect a user's intention.


You can always use a frame, in either case, to register; the security is the


If we decide to keep web-wide exceptions under the new UI-less regime it
would be safer to limit them to script in the context of top-level origin,
which effectively is the situation for site-specific exceptions. I suggest
we put a sentence like the following into 6.5.1 (and similar in 6.5.2),


The web-wide exception is only granted if the document origin host of the
calling script is the same as the top-level origin host.





David Singer

Multimedia and Software Standards, Apple Inc.


Received on Tuesday, 4 December 2012 10:06:29 UTC