On Thu, Sep 11, 2014 at 6:58 PM, Martin Thomson <[email protected]> wrote: > On 2014-09-11, at 00:56, Anne van Kesteren <[email protected]> wrote: >> Are we actually partitioning permissions per top-level browsing >> context or could they already accomplish this through an <iframe>? > > As far as I understand it, permissions are based on domain name only, they > don’t include scheme or port from the origin. So it’s probably less granular > than that.
That seems somewhat bad. > In the Google case, I doubt that there is anything meaningful we can do to > scope permissions in a way that would both prevent Google from sharing a > persistent grant. Not without breaking a great number of sites. Well, if there's https://maps.example/ that I share my location with, we could make it so that it if https://maps.example/ is embedded from https://mercent.example/, it no longer has the permission. That's what I meant with partitioning by top-level browsing context. -- http://annevankesteren.nl/ _______________________________________________ dev-platform mailing list [email protected] https://lists.mozilla.org/listinfo/dev-platform
