Re: Request for comments: Permission Delegation to Iframes from Richard Barnes on 2016-03-18 (public-webappsec@w3.org from March 2016)

From: Richard Barnes <rbarnes@mozilla.com>
Date: Fri, 18 Mar 2016 15:46:06 -0400
To: Tanvi Vyas <tanvi@mozilla.com>
Cc: Raymes Khoury <raymes@google.com>, WebAppSec WG <public-webappsec@w3.org>, Chris Palmer <palmer@google.com>
Message-ID: <CAOAcki_S1gK9nMdSSrNkAz8PdSrrdPkabavM5wbUhhoiEZ8Bcw@mail.gmail.com>
Tanvi, I think you're kind of off-target here.

On Fri, Mar 18, 2016 at 2:16 AM, Tanvi Vyas <tanvi@mozilla.com> wrote:

> I understand the motivation behind this proposal.  Particularly, in the
> User Research study done[1], it is clear that users don't understand the
> difference between a top level page and an iframe.  However, there are a
> couple things that I don't like about this proposal that are a result of
> section 5[2]:
> * Assume google maps is embedded in yelp.  I want to give google maps my
> location, but not yelp.  With this proposal, there is no easy way of doing
> this (as described in section 8).
>

This seems naïve.  One thing I like about this proposal is that it
acknowledges the reality that if a top-level page has a permission, then it
can *already* effectively delegate that permission to embedded pages with
enough JS.  This fact (or rather, its mirror image) is precisely why the
Secure Contexts spec has all the ancestor / ServiceWorker complexity.


> * Assume a user grants location access to google maps.  They later visit
> yelp.com, yellowpages.com, and tripadvisor.com.  They will get the
> geolocation permission prompt 3 more times on each of these pages, when
> before, their one time grant was enough.
>

Given that the research indicates that the one-time grant wasn't what the
user actually meant, this seems like a feature, not a bug.


> Here is another proposal that aims to handle some of the four reasons
> described in section 4:
> * Top level website can decide whether or not frames can request
> permissions with a frame attribute:
> <iframe id="embedee" src="https://maps.example.com/"
> <https://maps.example.com/> can-prompt-for-permissions="yes"></iframe>
>

This is clearly insufficient.  Suppose the embedder sets
can-prompt-for-permissoins="no" -- how does the embedded page get any
permissions it needs?  Can it just not access any protected APIs?


>
> * If a user grants a permission for a top level site that is later
> embedded, the embedded site will still have the permission.
>

This seems obvious; it's how I assumed this API would work anyway.


>
> With this proposal
> * An embedder has some control over how annoying an embedee can be.  It
> can allow trusted frames to prompt for permissions while denying access to
> less trusted frames.
> * The user makes their decision based off their trust for the top level
> site.  And the top level site decides what embedded content is trustworthy
> enough to prompt their users.
> * We avoid unnecessarily prompting the user for a site that is often
> embedded and that they have already granted permission for.
> * We honor the principal of least privileges, ensuring that only the site
> that needs the permission gets it.
>
> I also wonder if delegation is worth doing for all permission types.
>

If we're going to do this, let's do it generically.

--Richard



>   Is Chrome collecting data on the percentage of mic/camera/pointer
> lock/etc permissions requested by frames?  Maybe we could restrict this to
> a subset of permissions.  Also, 3.5% seems high for notifications; do you
> have any examples of when an embedee would request notification access?
> That seems like a decision that can be better made when the user is
> actually visiting the top level site.
>
> Thanks!
>
> ~Tanvi
>
> [1]
> https://docs.google.com/presentation/d/1suzMhtvMtA11jxPUdH1jL1oPh-82rTymCnslgR3ehEE/edit
> [2]
> https://noncombatant.github.io/permission-delegation-api/#permission-restrictions-for-embedded-web-applications
>
>
>
> On 3/15/16 5:20 PM, Raymes Khoury wrote:
>
> Hi all,
>
> We're looking for comments and feedback on a proposal aimed at making the
> permissions model for iframes more understandable for people. User research
> suggests that currently people don't have a good understanding of who they
> are granting access to when permission requests come from iframes. Also,
> the way permission decisions are scoped for iframes is inconsistent (across
> permissions and across UAs), making behavior hard to predict. It's also
> difficult to build simple UI to communicate and manage iframe permissions.
>
> The idea of the proposal is to require an embedding origin to delegate
> permission to an iframe in order for the iframe to get access. Sites in
> iframes would not be able to access permissions unless they were delegated.
> This means that users would only be required to make permission decisions
> about the top level origin, which is simpler to understand. It also allows
> for simpler permission management UI.
>
> We've converted our initial proposal doc [1] into a draft spec, however
> this is far from final and we're seeking more discussion, feedback and
> other contributions from those interested:
>
> https://noncombatant.github.io/permission-delegation-api/
>
> The draft includes motivations, a discussion of security considerations
> and risks, requirements for delegation, as well as an iframe attribute and
> JS API to delegate permissions.
>
> Thanks,
> Raymes
>
> [1]
> https://docs.google.com/document/d/1iaocsSuVrU11FFzZwy7EnJNOwxhAHMroWSOEERw5hO0
>
>
>
Received on Friday, 18 March 2016 19:46:39 UTC