On 12.09.2014 11:51, Henri Sivonen wrote: > On Fri, Sep 12, 2014 at 12:39 PM, Frederik Braun <fbr...@mozilla.com> wrote: >> On 11.09.2014 19:04, Anne van Kesteren wrote: >>> On Thu, Sep 11, 2014 at 6:58 PM, Martin Thomson <m...@mozilla.com> wrote: >>>> On 2014-09-11, at 00:56, Anne van Kesteren <ann...@annevk.nl> wrote: >>>>> Are we actually partitioning permissions per top-level browsing >>>>> context or could they already accomplish this through an <iframe>? >>>> >>>> As far as I understand it, permissions are based on domain name only, they >>>> don’t include scheme or port from the origin. So it’s probably less >>>> granular than that. >>> >>> That seems somewhat bad. >>> >> >> Yes. >> >> AFAIU (I might be terribly wrong), this is because all of those >> permissions (gUM, Geolocation, Offilne Storage, Fullscreen) are using >> the Permission manager we still have from the Popup Blocker/Cookie >> Manager. This is domain based. Not origin :( >> You can see this in about:permissions. > > This is shocking. Making the fundamental design bug of cookies affect > everything else is *really* bad. Is there a bug on file for fixing > this? >
Yes and no. I identified this while working on a thesis on the Same Origin Policy in 2012 and filed this only for Geolocation in bug <https://bugzilla.mozilla.org/show_bug.cgi?id=812147>. But the general solution might be a permission manager rewrite, I suppose? _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
