- From: pes <notifications@github.com>
- Date: Fri, 01 Nov 2019 14:28:55 -0700
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Friday, 1 November 2019 21:28:57 UTC
Some privacy concerns (re-raising from email conversations with authors): 1) The spec seems very susceptible to spoofing (I _believe_ the authors were going to reviseā¦). Being able to position the modal at the bottom of the window seems to make a "overlapping with the toolbar / URL bar" spoofing defense. Even more so with the ability to go fullscreen, and for the context being able to resize the modal window. 2) [The same issue raised against similar functionality in the Payment Handler API](https://github.com/w3c/payment-handler/issues/351): The spec says that the modal window is a 1p context. This cuts against the privacy improvements being pushed by partitioning storage, Safari's ITP, Brave's storage and cookie, as it allows peer communication between 1ps, and would enable cross site tracking. The modal context should be 3p, and a nested context of the triggering page. Hope this helps -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/427#issuecomment-548957191
Received on Friday, 1 November 2019 21:28:57 UTC