- From: Chris Palmer <palmer@google.com>
- Date: Wed, 16 Mar 2016 14:53:04 -0700
- To: Richard Barnes <rbarnes@mozilla.com>
- Cc: Raymes Khoury <raymes@google.com>, WebAppSec WG <public-webappsec@w3.org>
- Message-ID: <CAOuvq23s2iU9FudMZrzKPUkDiv9A=47mtdXVc5zga-ZmCBJ9ow@mail.gmail.com>
On Wed, Mar 16, 2016 at 1:02 PM, Richard Barnes <rbarnes@mozilla.com> wrote: > This seems like something for the market to sort out (i.e., don't use > annoying embeds), rather than a compelling reason to build an API. > Well, say an embedder wanted to find out if any of its embedees were being annoying. Wouldn't it be great to be able to install handlers for "embedee requested permission X"? (A previous draft included that; we could add it back.) And, sites that want to find out the hard way ;) if their embedders could delegate all permissions always — it could be as free-wheeling as it is today. (A previous draft also had a "*" pseudo-permission, to grant all. Again, if there is interest, we could add that back. It's hard for me to see that giving embedders knowledge and control is a bad thing, especially given the observed problem that people who use web apps are not generally aware that web apps are composed from pieces from different origins. And, it's hard for me to see how we could do that without an API. And it's not clear to me that the proposed API does much for this problem. > It seems like you would have to say that using permission="..." would > disable prompts for permissions not on that list, i.e., that you can't mix > and match delegated with traditional permissions. Which of course also has > its own transition issues. > Right, without explicit delegation the embedee would not even be able to ask. And, yes, there would be transition issues, but as mentioned, the deployed base is small... for now. One can imagine that an embedder might install an event handler to capture "embedee tried to ask for Foo permission", and then the embedder could have logic to decide if they want to let the request go through. Again, we could add event handlers to the draft for that, if people are interested.
Received on Wednesday, 16 March 2016 21:53:35 UTC