-
Notifications
You must be signed in to change notification settings - Fork 32
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add security and privacy section #25
Conversation
Should this be an 'and'? We should try to recommend a single idea here for compatibility purposes. |
Why not restrict this to secure contexts instead? That has a robust definition. I don't see it as actually helping with the problems that this describes, but the definition is precise enough for this. |
@timvolodine -Maryam (m.mehrnezhad@ncl.ac.uk) |
Free link to the paper: |
okay I think I've addressed all comments, in particular
I'll merge if there are no objections :) |
add security and privacy section
…olicy one This addresses a conflict that was introduced in #121: - The presence of the Permissions Policy integration means usage of the Device Orientation API can be allowed in third-party iframes provided that the right tokens are in place. - The "Security and privacy considerations" section contains a requirement that events are fired only on child navigables that are same-origin with the top-level traversable. The latter was introduced in #25 and served as a stop-gap measure before Permissions Policy integration was added. The current implementation status is: - Blink never implemented the same-origin requirement, but added Permissions Policy integration in 2018. - WebKit has always implemented Permissions Policy integration. - Gecko implements the same-origin requirement (see Mozilla bug 1197901). This means we can safely replace the same-origin requirement with a requirement to support the Permissions Policy integration, as switching from one to the other is transparent in the sense that the exact same set of websites that worked before will continue to work with the change, as the features we define have a default allowlist of "self". Fixes #133
…olicy one (#136) This addresses a conflict that was introduced in #121: - The presence of the Permissions Policy integration means usage of the Device Orientation API can be allowed in third-party iframes provided that the right tokens are in place. - The "Security and privacy considerations" section contains a requirement that events are fired only on child navigables that are same-origin with the top-level traversable. The latter was introduced in #25 and served as a stop-gap measure before Permissions Policy integration was added. The current implementation status is: - Blink never implemented the same-origin requirement, but added Permissions Policy integration in 2018. - WebKit has always implemented Permissions Policy integration. - Gecko implements the same-origin requirement (see Mozilla bug 1197901). This means we can safely replace the same-origin requirement with a requirement to support the Permissions Policy integration, as switching from one to the other is transparent in the sense that the exact same set of websites that worked before will continue to work with the change, as the features we define have a default allowlist of "self". Fixes #133
to address issue #24