Re: [w3ctag/design-reviews] Review request for Fenced Frames (Issue #735) from Lukasz Olejnik on 2022-06-29 (public-webapps-github@w3.org from June 2022)

From: Lukasz Olejnik <notifications@github.com>
Date: Wed, 29 Jun 2022 10:42:13 -0700
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/735/1170288644@github.com>

> > As @domfarolino mentioned, the sensors will all be disabled inside a fenced frame tree. Other APIs that could be side channels like Navigator.vibrate are also disabled inside a fenced frame tree ([code source link](https://chromium-review.googlesource.com/c/chromium/src/+/3473683)). Similarly programmatic focus is disabled as described [here](https://github.com/WICG/fenced-frame/blob/master/explainer/integration_with_web_platform.md#focus). The document also describes other APIs that are on our radar e.g intersection observer.
> > Updated the documentation [here](https://github.com/WICG/fenced-frame/blob/master/explainer/permission_document_policies.md#summary) for describing interaction with Permissions API.
> 
> Additionally, would like to point out that many of the side channels have been identified and are documented in the explainer but that may not be an exhaustive list and we look forward to continue adding to it and welcome feedback.

Thanks @shivanigithub @domfarolino, so I reckon that  this:

> Delegated permissions: [Permission delegation](https://www.chromestatus.com/feature/5670617353289728) restricts permission requests to the top-level frame. Since fenced frames are embedded contexts, they should not have access to permissions, even if they are treated as top-level browsing contexts. Also delegation of permissions from the embedding context to the fenced frames should not be allowed as that could be a communication channel. This is detailed further [here](https://github.com/shivanigithub/fenced-frame/blob/master/explainer/permission_document_policies.md).

Would suppose to make it clear, and this is fair. Perhaps it would enhance the clarity if it was expanded a bit? Though I assume that this will be the case in the actual specification document (which would be fine...)

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/735#issuecomment-1170288644
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/735/1170288644@github.com>

Received on Wednesday, 29 June 2022 17:42:26 UTC