- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Wed, 07 May 2008 14:14:52 -0500
- To: Scott Shattuck <idearat@mindspring.com>
- CC: "Web API WG (public)" <public-webapi@w3.org>
Scott Shattuck wrote:
> This is possible today on IE and Mozilla with a single user-visible
> security prompt.
That's only the case in Mozilla if:
1) The script is running at a file:// URI
or
2) The user has changed a hidden preference to allow random
sites to put up this prompt.
or
3) The site is in a signed jar. In particular, in this situation
the user has a bit more of an idea of "who" the site is than
in most cases.
Note that there are likely to be more restrictions placed on this functionality
in the future (possibly including removing it altogether).
> Once answered this functionality is accessible.
Temporarily, yes. The permissions grant is for the lifetime of the JS stack
frame the request was made in, unless the user selects the "remember this
decision" checkbox.
> "Remember this decision" to the above prompt.
Yes, but that's a very clear decision on the user's part. And again, it's
something that's subject to change. It's certainly not something that we feel
is particularly great security.
-Boris
Received on Wednesday, 7 May 2008 19:15:33 UTC