[webkit-dev] Request for comments: Permission Delegation to Iframes

[Raymes Khoury]

Hi all,

We're looking for comments and feedback on a proposal aimed at making the
permissions model for iframes more understandable for people. User research
suggests that currently people don't have a good understanding of who they
are granting access to when permission requests come from iframes. Also,
the way permission decisions are scoped for iframes is inconsistent (across
permissions and across UAs), making behavior hard to predict. It's also
difficult to build simple UI to communicate and manage iframe permissions.

The idea of the proposal is to require an embedding origin to delegate
permission to an iframe in order for the iframe to get access. Sites in
iframes would not be able to access permissions unless they were delegated.
This means that users would only be required to make permission decisions
about the top level origin, which is simpler to understand. It also allows
for simpler permission management UI.

We have written a draft spec for this proposal but this is far from final
and we’d love to continue the discussion with anyone interested. Please let
us know if you’re interested in contributing or have other comments or
concerns. We’re planning to centralize the discussion on the
public-webappsec at w3.org mailing list.

You can find the draft here:
https://noncombatant.github.io/permission-delegation-api/

Thanks!
Raymes
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-dev/attachments/20160316/498d9ffd/attachment.html>