Re: [w3c/permissions] Allow Feature Policy-based permission models (#185)

> Currently, request permission to use says: "The user’s interaction may provide new information about the user’s intent for this realm and other realms with the same origin."
> 
> This seems too limiting, since the origin of the realm is still nytimes.techsupport.fr here AFAIK.

Even though the response to the permission request only provides new information for that realm, the user agent is free to decide how it returns a value when ["Reading the current Permission State"](https://www.w3.org/TR/permissions/#reading-current-states) (See step 4 in particular).

That means that the user agent, when query permission for the iframe, is free to say something like "nytimes.techsupport.fr doesn't have access but the top level frame (nytimes.com) does have access so grant access to the iframe"

We intentionally left this freedom in "Reading the current Permission State" so that user agents would have freedom for things like this, but also for things like implementing Crowd Deny.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/permissions/issues/185#issuecomment-431264966

Received on Friday, 19 October 2018 07:01:41 UTC