On 12/09/14 13:59, Anne van Kesteren wrote:
But shouldn't it be aware of this so you can adequately scope the
permission? E.g. I could granthttps://amazingmaps.example/ when
embedded throughhttps://okaystore.invalid/ permission to use my
location. But it would not be given out if it were embedded through
https://evil.invalid/ later on.
Or e.g. I could allow YouTube embedded through reddit to go
fullscreen, but not necessarily YouTube itself or when embedded
elsewhere.
In most cases (though here sicking's comment regarding what should
happen remains especially applicable), the actor is the only thing that
matters.
That is, it's the principal of the JS compartment, which is the origin
you see in the bar at the top. The location that script is loaded from
doesn't matter. An iframe embed is different, but in that context, the
framed site retains complete control over its content and is arguably
competent to ensure that it isn't abused; more importantly, the outer
site has no visibility other than what the framed site grants it.
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
