W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2016

Re: VC meeting to discuss Permissions spec

From: Anne van Kesteren <annevk@annevk.nl>
Date: Thu, 9 Jun 2016 11:35:56 +0200
Message-ID: <CADnb78jMbJivTdnZLPQL5ZwhKSZ1rvECYydKm51SQmAuHqsTow@mail.gmail.com>
To: Brad Hill <hillbrad@gmail.com>
Cc: Jeffrey Yasskin <jyasskin@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Jan-Ivar Bruaroey <jib@mozilla.com>, Ilya Grigorik <igrigorik@google.com>, Raymes Khoury <raymes@google.com>, Harald Alvestrand <hta@google.com>, Mounir Lamouri <mlamouri@google.com>, Martin Thomson <mt@mozilla.com>, Marcos Caceres <marcos@marcosc.com>, Wendy Seltzer <wseltzer@w3.org>, "Cindy (Xiaoqian) Wu" <xiaoqian@w3.org>
On Wed, Jun 8, 2016 at 8:17 PM, Brad Hill <hillbrad@gmail.com> wrote:
> If you missed the call and are interested, I took minutes, available at:
>
> http://www.w3.org/2016/06/08-webappsec-minutes.html

What Martin says there about Firefox and origins is inaccurate I
believe. We changed the permission manager last year to be
origin-bound: https://bugzilla.mozilla.org/show_bug.cgi?id=1165263.

(Now revocations might well go the eTLD route, not sure, and that
might even make sense, but that seems more like a UX-issue whether you
treat www.google.com and mail.google.com as equivalent from a UX
perspective. There's a similar problem there when clearing storage. If
that would affect just the origin, cookies can be used to revive it.
I'd really like a clear set of principles for those questions, but it
seems like it will require more research.)


-- 
https://annevankesteren.nl/
Received on Thursday, 9 June 2016 09:36:23 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:20 UTC