- From: Jun <notifications@github.com>
- Date: Thu, 28 Oct 2021 12:01:14 -0700
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 28 October 2021 19:01:27 UTC
I logically don't understand why we are in model where we have to pass permission from top frame to child frame, if child frame is the one who actually want to use the permission.
If this spec is trying to solve the user activation, why can't we just tie user activation with API usage?
For example, parent frame wants to delegate user activation for payment, it'll postMessage like:
```
button1.onclick = () => win1.postMessage("msg", {activate: "payment"});
```
And then child frame will be able to consume user activation only for Payment Request API.
> 1. Permissions Policy is used to delegate the permission, but it doesn't delegate the user activation. The user would still have to click in the frame if the API required user activation.
Permission Policy is not used to delegate permissions. Permission Policy allows a site to declare which permissions are allowed to be requested/used. [Permission Delegation](https://docs.google.com/document/d/1x5QejvpyQ71LPWhMLsaM1lWCfSsBsSQ8Dap9kJ6uLv0/edit?usp=sharing) is a browser implementation and it's not a Web Standard.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/655#issuecomment-954118112
Received on Thursday, 28 October 2021 19:01:27 UTC