W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2016

Request for comments: Permission Delegation to Iframes

From: Raymes Khoury <raymes@google.com>
Date: Wed, 16 Mar 2016 00:20:49 +0000
Message-ID: <CAEYdGOW4CjOvWLKFe7cs0_5W8xg6QoRbgtkJc+yY8QvzzyfO5Q@mail.gmail.com>
To: public-webappsec@w3.org
Cc: Chris Palmer <palmer@google.com>
Hi all,

We're looking for comments and feedback on a proposal aimed at making the
permissions model for iframes more understandable for people. User research
suggests that currently people don't have a good understanding of who they
are granting access to when permission requests come from iframes. Also,
the way permission decisions are scoped for iframes is inconsistent (across
permissions and across UAs), making behavior hard to predict. It's also
difficult to build simple UI to communicate and manage iframe permissions.

The idea of the proposal is to require an embedding origin to delegate
permission to an iframe in order for the iframe to get access. Sites in
iframes would not be able to access permissions unless they were delegated.
This means that users would only be required to make permission decisions
about the top level origin, which is simpler to understand. It also allows
for simpler permission management UI.

We've converted our initial proposal doc [1] into a draft spec, however
this is far from final and we're seeking more discussion, feedback and
other contributions from those interested:

https://noncombatant.github.io/permission-delegation-api/

The draft includes motivations, a discussion of security considerations and
risks, requirements for delegation, as well as an iframe attribute and JS
API to delegate permissions.

Thanks,
Raymes

[1]
https://docs.google.com/document/d/1iaocsSuVrU11FFzZwy7EnJNOwxhAHMroWSOEERw5hO0
Received on Wednesday, 16 March 2016 10:44:03 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:18 UTC