- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Wed, 07 May 2008 14:14:52 -0500
- To: Scott Shattuck <idearat@mindspring.com>
- CC: "Web API WG (public)" <public-webapi@w3.org>
Scott Shattuck wrote: > This is possible today on IE and Mozilla with a single user-visible > security prompt. That's only the case in Mozilla if: 1) The script is running at a file:// URI or 2) The user has changed a hidden preference to allow random sites to put up this prompt. or 3) The site is in a signed jar. In particular, in this situation the user has a bit more of an idea of "who" the site is than in most cases. Note that there are likely to be more restrictions placed on this functionality in the future (possibly including removing it altogether). > Once answered this functionality is accessible. Temporarily, yes. The permissions grant is for the lifetime of the JS stack frame the request was made in, unless the user selects the "remember this decision" checkbox. > "Remember this decision" to the above prompt. Yes, but that's a very clear decision on the user's part. And again, it's something that's subject to change. It's certainly not something that we feel is particularly great security. -Boris
Received on Wednesday, 7 May 2008 19:15:33 UTC