Permissions Policy Integration (formalize nested iframe support) #78
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
annevk
reviewed
May 6, 2021
storage-access.bs
Outdated
| @@ -202,7 +200,7 @@ When invoked on {{Document}} |doc|, the <dfn export method for=Document><code>re | |||
| 1. Let |p| be [=a new promise=]. | |||
| 1. If this algorithm was invoked when |doc|'s {{Window}} object did not have [=transient activation=], [=reject=] and return |p|. | |||
| 1. If |doc|'s [=Document/browsing context=] is a [=top-level browsing context=], [=/resolve=] and return |p|. | |||
| 1. If |doc|'s [=Document/browsing context=]'s [=parent browsing context=] is not a [=top-level browsing context=], [=reject=] and return |p|. | |||
| 1. If |doc|'s [=relevant settings object=] is not [=allowed to use=] the `"request-storage-access"` permission, [=reject=] and return |p|. | |||
There was a problem hiding this comment.
"allowed to use" operates on a document I believe so you need to grab a document from the environment settings object here.
johannhof
commented
Jun 9, 2021
|
@hober @johnwilander I'll merge this, let me know if you still have any concerns and we can figure those out in follow-ups |
This was referenced Jun 9, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is a first stab at integrating permissions policy and support nested iframes in the spec, see #10 and #12 . A few notes:
"request-storage-access"). It's important to note that this policy only controls requesting storage access, it does not tell user agents with persistent/passive storage (see Active or passive storage access after explicit user opt-in #2) how to behave if anallow=noneattribute was added after an iframe received storage access."*"default allowlist which @annevk intended to deprecate. We went back and fort on this but ultimately"*"captures the reality of current implementations best, especially considering that WebKit does not have PP support (and thus implictly default to"*") for the time being. If we had started from scratch on this then maybe"self"would have been the best option, but personally I don't see that happening without WebKit support. Let me know if anyone disagrees.