W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2016

Re: Request for comments: Permission Delegation to Iframes

From: Chris Palmer <palmer@google.com>
Date: Wed, 16 Mar 2016 12:54:17 -0700
Message-ID: <CAOuvq23wZstOGpPZW_sk6gynMcD-8vjNAD9f2w2hqzxY=ROYCA@mail.gmail.com>
To: Richard Barnes <rbarnes@mozilla.com>
Cc: Raymes Khoury <raymes@google.com>, WebAppSec WG <public-webappsec@w3.org>
On Wed, Mar 16, 2016 at 7:24 AM, Richard Barnes <rbarnes@mozilla.com> wrote:

Do we even need an API here?  It seems like you could achieve the same
> effect with less back-and-forth / code changes by stipulating that
> permissions requested from iframe are only valid in the scope of the
> top-level page.  That might make some iframed stuff sad, but you could
> still get full cross-site-usable permissions if you get users to visit your
> site.
>

There would still be the situation that an embedee could cause a bad
experience for a person who is using the embedder origin, by requesting
lots of permissions. This is annoying, causes permission request fatigue,
and reflects badly on the embedder (since we believe, on evidence, that
people only perceive the embedder).


> I admit that this doesn't have a great transition story.  Do you have any
> telemetry on how often permissions-requesting things are used from
> iframes?  That will bound our ability to do stuff in any case.
>

See the Usage section in
https://docs.google.com/document/d/1iaocsSuVrU11FFzZwy7EnJNOwxhAHMroWSOEERw5hO0/edit#heading=h.sn9xlweol7fm.
the good news is that usage from cross-origin iframes is low, so we have a
chance now to get this right before we have a large installed base of
iframes depending on being able to ask for permissions. It's not 0, but
it's not yet high.
Received on Wednesday, 16 March 2016 19:54:46 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:18 UTC