Re: Request for comments: Permission Delegation to Iframes

> the UA MUST prevent the embedee from triggering permission prompts to the user

This is reasonable. The site has unnecessarily created a confusing
situation. The embedder could have requested the permission itself, or
opened a new tab showing only the embedee, depending on need and trust

> and the UA SHOULD prevent the embedee from acquiring any permissions based on a prior decision made by the user

This is futile. The embedee can use a service worker. Or it can open a
new tab where it is the top origin, quickly do what it needs, and
close the tab before you notice it was ever open.

(I hope Google Maps would use this tab trick! Having every embedder
request geolocation permission would be a disaster for both usability
and security.)

Received on Friday, 18 March 2016 10:25:03 UTC