[Webkit-unassigned] [Bug 214448] Web Share permission policy "web-share" and "self" as the allowlist
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Jan 24 01:04:00 PST 2022
https://bugs.webkit.org/show_bug.cgi?id=214448
--- Comment #38 from youenn fablet <youennf at gmail.com> ---
(In reply to Marcos Caceres from comment #37)
> (In reply to youenn fablet from comment #36)
> > We could start with a quirk for now
>
> In case it helps, a little more context on the web compat situation: Firefox
> ships with the policy set to 'self', but web share is only supported on
> Firefox for Windows.
>
> Alternatively, if we can't get Chrome to change (or it's too late because
> web compat), we could set the allow list to "all" both in WebKit and in the
> spec. That would retain web compat with Chrome, while also giving more
> priv/sec aware sites control over the permissions policy.
Is there a bug tracker for Chrome? Do you know their position?
> The thing to consider is if allowing web share liberally in third party
> contexts could have significant user privacy or security implications (as
> happened previously [1]). There is still ongoing work to better secure the
> API (e.g., [2]).
Twitter is not same origin but same site which is better than arbitrary third-party iframes. Let's add a quirk for now, https://bugs.webkit.org/show_bug.cgi?id=235502.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220124/dee0e673/attachment.htm>
More information about the webkit-unassigned
mailing list