Re: [w3c/permissions] Script origin bound permissions (#211)

Permissions Policy attempts to solve this, though at the document origin level, not script origin.

Implementing this based on script origin would be difficult, and likely ineffective. If tracker.com can get you to run their script on your page, then they can do things other than requesting permission directly. (They can write new scripts directly into the DOM, either directly or indirectly, and can have geolocation data passed silently between scripts, as they'd be running in the same global environment).

Solving this with the current JS execution model would probably require taint tracking at least, to ensure that the command to request permission really did originate in the assumed origin, if it's possible at all. Executing third-party scripts is really giving  lot of trust to whoever controls that code.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/permissions/issues/211#issuecomment-651837896

Received on Tuesday, 30 June 2020 14:41:46 UTC