- From: Jun <notifications@github.com>
- Date: Thu, 29 May 2025 11:25:13 -0700
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3ctag/design-reviews/issues/1050/2920221482@github.com>
shhnjk left a comment (w3ctag/design-reviews#1050) > Can you give us a bit more information on what user need you're meeting, and how this will change the user experience? We'd like to mitigate Permission Delegation of powerful permissions to unintentional sites (e.g. [HTML injection in Bing resulted in camera access through Edge](https://speakerdeck.com/shhnjk/piloting-edge-copilot?slide=27)). However, for sites to deploy Permissions Policy for restricting cross-origin usage, it must know which cross-origin sites permissions are currently delegated to (i.e. intentional delegation). There is no way to know this currently using Permisions Policy reporting, because cross-origin usage is never sent. > Also, we note a sustained objection from [@annevk](https://github.com/annevk) at WebKit. [WebKit/standards-positions#448](https://github.com/WebKit/standards-positions/issues/448) Where is this discussion now? As explained in https://github.com/w3c/webappsec-permissions-policy/issues/561#issuecomment-2700819817, there was a W3C WebAppSec meeting specifically for this, where @annevk attended. We have not heard objections at the time. -- Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/1050#issuecomment-2920221482 You are receiving this because you are subscribed to this thread. Message ID: <w3ctag/design-reviews/issues/1050/2920221482@github.com>
Received on Thursday, 29 May 2025 18:25:16 UTC