- From: Aaron Selya <notifications@github.com>
- Date: Fri, 21 Feb 2025 08:56:55 -0800
- To: w3c/permissions <permissions@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Friday, 21 February 2025 16:56:59 UTC
aselya left a comment (w3c/permissions#458) > @aselya can you elaborate a bit more on why you think exposing Permissions Policy state (which is "allowed to use") would lead to retaliation against the user? > > I could see an argument for why this technically exposes cross-origin information, but that seems by design, the same way that, say, the sandbox argument is observable by a cross-origin iframe. Also, that doesn't seem like something that should be implementation-defined. :) Apologies for the delay in response, only just saw this. I made this PR after observing that this spec and the [spec](https://privacycg.github.io/requestStorageAccessFor/#permissions-integration) for requestStorageAccessFor (rSAFor) were not in alignment on the what permission states might be returned from a query. The explanation provided in the rSAFor spec for not revealing the [denied](https://w3c.github.io/permissions/#dfn-denied) permission state seemed reasonable and worth incorporating into the permissions spec to allow for other permissions to utilize in the same manner. -- Reply to this email directly or view it on GitHub: https://github.com/w3c/permissions/pull/458#issuecomment-2675074743 You are receiving this because you are subscribed to this thread. Message ID: <w3c/permissions/pull/458/c2675074743@github.com>
Received on Friday, 21 February 2025 16:56:59 UTC