- From: Tobias Buschor <notifications@github.com>
- Date: Tue, 30 Jun 2020 07:29:16 -0700
- To: w3c/permissions <permissions@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3c/permissions/issues/211@github.com>
While following the current fingerprinting debate, I made the following consideration:
Would it be possible to grant permissions only for domains of the corresponding script?
Let's assume the website runs on trasted-domain.com
trasted-domain.com/main.js:
```js
await navigator.permissions.query({ name: "geolocation" })
// -----------------------------------------------------------------------------
// | would you like to allow access to geolocation for trusted-domain.com? |
// -----------------------------------------------------------------------------
```
tracker.com/main.js:
```js
await navigator.permissions.query({ name: "geolocation" })
// -----------------------------------------------------------------------------
// | Attention, the access is requested from a different domain! |
// | would you like to allow access to geolocation for trusted-domain.com? |
// -----------------------------------------------------------------------------
```
Or better still, it fails in silently anyway?
To make it backwards compatible with the implemented state, would an option `scriptOriginBound:true` be a possibility?
The implementers might only want to allow access with this option enabled.
trasted-domain.com/main.js:
```js
await navigator.permissions.query({ name: "geolocation", scriptOriginBound:true })
```
I don't know if this has already been discussed, but I could not find anything.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/permissions/issues/211
Received on Tuesday, 30 June 2020 14:29:29 UTC