Re: [w3c/permissions] Granting permission to non-fully-active documents is weird and should be disallowed (#162) from Marcos Cáceres on 2021-07-20 (public-webapps-github@w3.org from July 2021)

From: Marcos Cáceres <notifications@github.com>
Date: Mon, 19 Jul 2021 20:19:37 -0700
To: w3c/permissions <permissions@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/permissions/issues/162/883020373@github.com>

Sorry for the delay, @rakina. I've been trying to educate myself further about BFCache.

> However, there's also the "permission status change" event which I think this thread hasn't talked about, but is being updated in @marcoscaceres' PR: #249 . I'm not really sure when this will be triggered - is it possible for this to be triggered by another frame/page?

It cannot be updated by another page in the context of this specification. However, the end-user could revoke a permission manually by manually changing a site's permissions' settings.

There are two cases I can think of (there may be others, and hopefully other folks will chime in!):

## Case 1 - BF restore

1. Parent document creates an iframe (page1.html).
2. permission is granted for powerful feature X.
3. iframe is navigated to another page (page2.html) - page1.html is now in BFCache.
4. User revokes permission for origin for power feature X.
5. `navigator.history.back();` gets called.
6. page1.html's document gets unfrozen from BFCache.

Now we have a situation:
1. Should the permission change event be delivered? (probably yes - this might already happen automatically, but it's hard to test as BFCache is somewhat unreliable).
2. Every API MUST recheck if it's "allowed to" use the API, like Geolocation now does (we make that clear in the TAG Recommendation).

## Case 2 - Reference Theft

1. Parent document creates an iframe (page1.html).
2. permission is granted for powerful feature X.
3. Parent *steals a pointer* to the iframe's permission instance, causing GC to no longer be possible for that instance: that is, `const stolen = iframe.contentWindow.navigator.permissions; // lulz`
4. iframe is navigated to another page (page2.html).
5. `navigator.history.back();` gets called - new window/document gets created.
6. Parent frame calls `stolen.query({name: "geolocation"})`.

In this case - which has no practical application whatsoever:
- Return a promise rejected with "NotAllowed" `DOMException`.

--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/permissions/issues/162#issuecomment-883020373

Received on Tuesday, 20 July 2021 03:19:50 UTC