[w3c/permissions] Allow Feature Policy-based permission models (#185) from Jan-Ivar Bruaroey on 2018-10-17 (public-webapps-github@w3.org from October 2018)

From: Jan-Ivar Bruaroey <notifications@github.com>
Date: Wed, 17 Oct 2018 16:46:28 -0700
To: w3c/permissions <permissions@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/permissions/issues/185@github.com>

As I understand it, one driver of Feature Policy is that most users don't understand iframes, e.g. today:
![crossdomainprefeaturepolicyhalf](https://user-images.githubusercontent.com/3136226/47121904-94beb200-d242-11e8-9df1-a78f7b304452.png)

Feature Policy in theory lets browsers implement simpler permission models for the above, like this:
![crossdomainpostfeaturepolicyhalf](https://user-images.githubusercontent.com/3136226/47121913-9be5c000-d242-11e8-9368-6cfc2c880e0d.png)

...where grant is to the top-level domain *nytimes.com*, which delegates w/ `<iframe allow=”camera”>`.

Importantly, users would no longer expect permission to be persisted for *nytimes.techsupport.fr*, but for *nytimes.com*.

Currently, [request permission to use](https://w3c.github.io/permissions/#request-permission-to-use) says: *"The user’s interaction may provide new information about the user’s intent for this realm and other realms with the same origin."*

This seems too limiting, since the *origin* of the *realm* is still *nytimes.techsupport.fr* here AFAIK.

Any ideas on how this may be written to allow for these new permission models?

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/permissions/issues/185

Received on Wednesday, 17 October 2018 23:46:51 UTC