W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2016

Re: Request for comments: Permission Delegation to Iframes

From: Chris Palmer <palmer@google.com>
Date: Wed, 16 Mar 2016 14:53:04 -0700
Message-ID: <CAOuvq23s2iU9FudMZrzKPUkDiv9A=47mtdXVc5zga-ZmCBJ9ow@mail.gmail.com>
To: Richard Barnes <rbarnes@mozilla.com>
Cc: Raymes Khoury <raymes@google.com>, WebAppSec WG <public-webappsec@w3.org>
On Wed, Mar 16, 2016 at 1:02 PM, Richard Barnes <rbarnes@mozilla.com> wrote:


> This seems like something for the market to sort out (i.e., don't use
> annoying embeds), rather than a compelling reason to build an API.
>

Well, say an embedder wanted to find out if any of its embedees were being
annoying. Wouldn't it be great to be able to install handlers for "embedee
requested permission X"? (A previous draft included that; we could add it
back.)

And, sites that want to find out the hard way ;) if their embedders could
delegate all permissions always — it could be as free-wheeling as it is
today. (A previous draft also had a "*" pseudo-permission, to grant all.
Again, if there is interest, we could add that back.

It's hard for me to see that giving embedders knowledge and control is a
bad thing, especially given the observed problem that people who use web
apps are not generally aware that web apps are composed from pieces from
different origins. And, it's hard for me to see how we could do that
without an API.

And it's not clear to me that the proposed API does much for this problem.
> It seems like you would have to say that using permission="..." would
> disable prompts for permissions not on that list, i.e., that you can't mix
> and match delegated with traditional permissions.  Which of course also has
> its own transition issues.
>

Right, without explicit delegation the embedee would not even be able to
ask. And, yes, there would be transition issues, but as mentioned, the
deployed base is small... for now.

One can imagine that an embedder might install an event handler to capture
"embedee tried to ask for Foo permission", and then the embedder could have
logic to decide if they want to let the request go through. Again, we could
add event handlers to the draft for that, if people are interested.
Received on Wednesday, 16 March 2016 21:53:35 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:18 UTC