[Webkit-unassigned] [Bug 214448] Web Share permission policy "web-share" and "self" as the allowlist
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sun Jan 23 16:16:40 PST 2022
https://bugs.webkit.org/show_bug.cgi?id=214448
--- Comment #37 from Marcos Caceres <marcos at marcosc.com> ---
(In reply to youenn fablet from comment #36)
> We could start with a quirk for now
In case it helps, a little more context on the web compat situation: Firefox ships with the policy set to 'self', but web share is only supported on Firefox for Windows.
Alternatively, if we can't get Chrome to change (or it's too late because web compat), we could set the allow list to "all" both in WebKit and in the spec. That would retain web compat with Chrome, while also giving more priv/sec aware sites control over the permissions policy.
The thing to consider is if allowing web share liberally in third party contexts could have significant user privacy or security implications (as happened previously [1]). There is still ongoing work to better secure the API (e.g., [2]).
Let me know how you would like to proceed. I'm happy to update the spec, Gecko, and WebKit.
[1] https://blog.redteam.pl/2020/08/stealing-local-files-using-safari-web.html
[2] https://github.com/w3c/web-share/issues/178
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220124/2281cc45/attachment.htm>
More information about the webkit-unassigned
mailing list