W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2016

Re: Request for comments: Permission Delegation to Iframes

From: Richard Barnes <rbarnes@mozilla.com>
Date: Wed, 16 Mar 2016 16:02:55 -0400
Message-ID: <CAOAcki_c-woeD+Qo-G0wF=_xJnuzUOduz2vmNvL3AO27cRweWQ@mail.gmail.com>
To: Chris Palmer <palmer@google.com>
Cc: Raymes Khoury <raymes@google.com>, WebAppSec WG <public-webappsec@w3.org>
On Wed, Mar 16, 2016 at 3:54 PM, Chris Palmer <palmer@google.com> wrote:

> On Wed, Mar 16, 2016 at 7:24 AM, Richard Barnes <rbarnes@mozilla.com>
> wrote:
>
> Do we even need an API here?  It seems like you could achieve the same
>> effect with less back-and-forth / code changes by stipulating that
>> permissions requested from iframe are only valid in the scope of the
>> top-level page.  That might make some iframed stuff sad, but you could
>> still get full cross-site-usable permissions if you get users to visit your
>> site.
>>
>
> There would still be the situation that an embedee could cause a bad
> experience for a person who is using the embedder origin, by requesting
> lots of permissions. This is annoying, causes permission request fatigue,
> and reflects badly on the embedder (since we believe, on evidence, that
> people only perceive the embedder).
>

This seems like something for the market to sort out (i.e., don't use
annoying embeds), rather than a compelling reason to build an API.

And it's not clear to me that the proposed API does much for this problem.
It seems like you would have to say that using permission="..." would
disable prompts for permissions not on that list, i.e., that you can't mix
and match delegated with traditional permissions.  Which of course also has
its own transition issues.

--Richard


> I admit that this doesn't have a great transition story.  Do you have any
>> telemetry on how often permissions-requesting things are used from
>> iframes?  That will bound our ability to do stuff in any case.
>>
>
> See the Usage section in
> https://docs.google.com/document/d/1iaocsSuVrU11FFzZwy7EnJNOwxhAHMroWSOEERw5hO0/edit#heading=h.sn9xlweol7fm.
> the good news is that usage from cross-origin iframes is low, so we have a
> chance now to get this right before we have a large installed base of
> iframes depending on being able to ask for permissions. It's not 0, but
> it's not yet high.
>
Received on Wednesday, 16 March 2016 20:03:24 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:18 UTC