Re: [w3ctag/design-reviews] Review request for Fenced Frames (Issue #735)

> > Delegated permissions: [Permission delegation](https://www.chromestatus.com/feature/5670617353289728) restricts permission requests to the top-level frame. Since fenced frames are embedded contexts, they should not have access to permissions, even if they are treated as top-level browsing contexts. Also delegation of permissions from the embedding context to the fenced frames should not be allowed as that could be a communication channel. This is detailed further [here](https://github.com/shivanigithub/fenced-frame/blob/master/explainer/permission_document_policies.md).
> 
> Would suppose to make it clear, and this is fair. Perhaps it would enhance the clarity if it was expanded a bit? Though I assume that this will be the case in the actual specification document (which would be fine...)

Right, this would be part of the spec. Also the explainer goes into more details about permissions [here](https://github.com/WICG/fenced-frame/blob/master/explainer/permission_document_policies.md#permission-policy).
I will point out though that we are in the process of updating that explainer because of issues like [this one](https://github.com/WICG/fenced-frame/issues/37) where features like attribution reporting will need to be allowed in specific fenced frame modes if it's not disallowed by the top-level page. The guiding principle will stay the same: fenced frames should not be used as a work-around to the top-level page's permission restrictions and permission delegation should not act as a communication channel.



-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/735#issuecomment-1185825176
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/735/1185825176@github.com>