Re: [w3ctag/design-reviews] Permissions Policy reports for iframes (Issue #1050)

shhnjk left a comment (w3ctag/design-reviews#1050)

> Can you give us a bit more information on what user need you're meeting, and how this will change the user experience?

We'd like to mitigate Permission Delegation of powerful permissions to unintentional sites (e.g. [HTML injection in Bing resulted in camera access through Edge](https://speakerdeck.com/shhnjk/piloting-edge-copilot?slide=27)). However, for sites to deploy Permissions Policy for restricting cross-origin usage, it must know which cross-origin sites permissions are currently delegated to (i.e. intentional delegation). There is no way to know this currently using Permisions Policy reporting, because cross-origin usage is never sent.

> Also, we note a sustained objection from [@annevk](https://github.com/annevk) at WebKit. [WebKit/standards-positions#448](https://github.com/WebKit/standards-positions/issues/448) Where is this discussion now?

As explained in https://github.com/w3c/webappsec-permissions-policy/issues/561#issuecomment-2700819817, there was a W3C WebAppSec meeting specifically for this, where @annevk attended. We have not heard objections at the time.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/1050#issuecomment-2920221482
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/1050/2920221482@github.com>

Received on Thursday, 29 May 2025 18:25:16 UTC