Re: ISSUE-187 - What is the right approach to exception handling & ISSUE-185 from David Singer on 2012-12-05 (public-tracking@w3.org from December 2012)

From: David Singer <singer@apple.com>
Date: Tue, 04 Dec 2012 16:43:29 -0800
To: David Wainberg <david@networkadvertising.org>
Cc: Mike O'Neill <michael.oneill@baycloud.com>, public-tracking@w3.org
Message-id: <F50FEBDC-B950-47E8-901F-2C331101D9B5@apple.com>

On Dec 4, 2012, at 7:42 , David Wainberg <david@networkadvertising.org> wrote:

> 
> On 12/2/12 6:28 AM, Mike O'Neill wrote:
>> The sentence in 6.4.1 (The execution of this API and the use of the resulting permission (if granted) use the 'implicit' parameter, when the API is called, the document origin. This forms the first part of the duplet in the logical model, and hence in operation will be compared with the top-level origin) makes it clear that only script in the context of the top-level origin can register a UGE for the site. If script in third-party embedded iframe makes a SS UGE call, the implicit document origin points to the third-party domain so the exception applies there and not at the parent window’s origin.
>> 
> 
> Can someone clarify? Is this true? A party in an iFrame should be able to request a UGE for the top level page context, not the iFrame that it's in.

Why would that be the case?  That would allow any of the advertisers or other third parties on a page to ask for something on behalf of the first party.  Somehow, I feel that parties should only be allowed to ask for something for themselves.  That way the responsibility and the benefit are aligned.

David Singer
Multimedia and Software Standards, Apple Inc.

Received on Wednesday, 5 December 2012 00:43:58 UTC