W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2016

Re: Request for comments: Permission Delegation to Iframes

From: Jesse Ruderman <jruderman@gmail.com>
Date: Thu, 17 Mar 2016 17:29:16 -0700
Message-ID: <CAB-YmG1bhS=d+sPq6sbJP+nsx-o-kXLXthbUk0qBeytK7-YDxg@mail.gmail.com>
To: public-webappsec@w3.org
> the UA MUST prevent the embedee from triggering permission prompts to the user

This is reasonable. The site has unnecessarily created a confusing
situation. The embedder could have requested the permission itself, or
opened a new tab showing only the embedee, depending on need and trust
relationships.

> and the UA SHOULD prevent the embedee from acquiring any permissions based on a prior decision made by the user

This is futile. The embedee can use a service worker. Or it can open a
new tab where it is the top origin, quickly do what it needs, and
close the tab before you notice it was ever open.

(I hope Google Maps would use this tab trick! Having every embedder
request geolocation permission would be a disaster for both usability
and security.)
Received on Friday, 18 March 2016 10:25:03 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:18 UTC