W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2016

RE: Permissions store

From: Mike O'Neill <michael.oneill@baycloud.com>
Date: Thu, 18 Aug 2016 12:39:16 +0100
To: "'Martin Thomson'" <martin.thomson@gmail.com>, "'Anne van Kesteren'" <annevk@annevk.nl>
Cc: "'Raymes Khoury'" <raymes@google.com>, "'Martin Thomson'" <mt@mozilla.com>, "'Jeffrey Yasskin'" <jyasskin@google.com>, "'WebAppSec WG'" <public-webappsec@w3.org>, "'Marcos Caceres'" <marcos@marcosc.com>, "'Mounir Lamouri'" <mlamouri@google.com>, "'Ben Wells'" <benwells@google.com>
Message-ID: <06b501d1f945$2702f560$7508e020$@baycloud.com>
Indicating a revoked permission could be an event, or it could be by a GET to a Url like the CSP notification, i.e. could be triggered from any browsing context or none. The Referer header could be stripped in that case so any new context doesn't get communicated.

Dealing with permissions on a set of origins where they are all managed by the same party is different from allowing permissions for any or all origins. You could specify a set of origins and the UA could check they are managed by the same organisation. If they all had an Origin-Policy manifest for example, which had a property Uri that identified the ultimate "owner", then the UA can check that all the origins point to the same owner before allowing the prompt.

It gives you a managed half way house between leaving it to the UA and strict SOP.


-----Original Message-----
From: Martin Thomson [mailto:martin.thomson@gmail.com] 
Sent: 18 August 2016 10:39
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Raymes Khoury <raymes@google.com>; Martin Thomson <mt@mozilla.com>; Jeffrey Yasskin <jyasskin@google.com>; WebAppSec WG <public-webappsec@w3.org>; Marcos Caceres <marcos@marcosc.com>; Mounir Lamouri <mlamouri@google.com>; Ben Wells <benwells@google.com>
Subject: Re: Permissions store

On 18 August 2016 at 17:44, Anne van Kesteren <annevk@annevk.nl> wrote:
> This is exactly the kind of thing that is problematic. Since if a UA
> ships that and sites come to depend on it, other UAs will have to
> copy. Requiring changes to the standard for such practices is a good
> way to keep everyone informed of competitive pressures.


It almost sounds like you want to be able to receive an event when
this happens.  Because rejection of a previously granted permission is
entirely asynchronous with anything that is happening on a page.  And
it currently manifests in different ways.  The same applies to any
change in state.

What makes an event potentially difficult is that I can imagine cases
where these changes - like that cat in the box - aren't necessarily
visible until you ask.
Received on Thursday, 18 August 2016 11:40:06 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:21 UTC