New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 612954 link

Starred by 6 users
Status: WontFix
Owner:
raymes@chromium.org
OOO until 4th Feb
Closed: Mar 2017
Cc:
palmer@chromium.org
mlamouri@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 3
Type: Launch-OWP
Launch-Accessibility: ----
Launch-Exp-Leadership: ----
Launch-Leadership: ----
Launch-Legal: ----
Launch-M-Approved: ----
Launch-M-Target: ----
Launch-Privacy: ----
Launch-Security: ----
Launch-Test: ----
Launch-UI: ----
Rollout-Type: ----

Blocked on:
issue 614608


Sign in to add a comment

Permission Delegation API for Iframes

Project Member Reported by raymes@chromium.org, May 18 2016 
See https://noncombatant.github.io/permission-delegation-api/

Change description:
There are two main changes proposed:
-Give an embedding page the ability to delegate permissions (such as geolocation) to iframes that are embedded within it. We introduce 2 mechanisms to do this: a) an <iframe> attribute (e.g. <iframe permissions=”geolocation …”>; and b) a JS API to programmatically delegate permissions. 
-Impose a restriction which prevents iframes from acquiring a permission unless the iframe’s embedder has explicitly delegated it.

Changes to API surface:
Initially add a "permissions=" attribute to the <iframe> tag. An imperative API is also planned.

Links:
Spec: https://noncombatant.github.io/permission-delegation-api/
Public standards discussion: 
https://lists.w3.org/Archives/Public/public-webappsec/2016Apr/0041.html
https://lists.w3.org/Archives/Public/public-webappsec/2016Mar/thread.html#msg34
Doc: https://docs.google.com/document/d/1iaocsSuVrU11FFzZwy7EnJNOwxhAHMroWSOEERw5hO0/edit

Support in other browsers:
None

*Make sure to fill in any labels with a -?, including all OSes this change
affects. Feel free to leave other labels at the defaults.

Comment 1 by raymes@chromium.org, May 18 2016

Summary: Permission Delegation API for Iframes (was: Implement Permission Delegation API)

Comment 2 by raymes@chromium.org, May 25 2016

Blockedon: 614608

Comment 3 by raymes@chromium.org, Mar 8 2017

Status: WontFix (was: Assigned)
This is superseded by Feature Policy:  issue 623682

Comment 4 by andrey.v...@gmail.com, Aug 23 

This proposal will enable delegation of trust that may be prohibited by NDA, local laws etc.
User agent should have an option to disable this behavior.

Comment 5 by trusktr@gmail.com, Dec 10 

This seems like a security problem.

Support I visit website A, and I deny a permission to it.

I also like to visit website B, which I do grant a permission for. I have never seen website A on website B.

Then one day, website B decides to put website A inside an iframe for some reason or other, and now all of a sudden website A has the permission that I did not want it to have.

Not good!

Sign in to add a comment