This is an important change to the way permissions could work in Chrome. I think it’s a good change, but deserves thought and discussion. Feedback would be excellent.
Blink: Intent to implement: Permission Delegation groups.google.com/a/chromium…
10
22
28
Replying to @mikewest
How does this square with @johnwilander Storage Access API? It allows iframes to ask for permissions from the user.

Jan 15, 2018 · 4:15 PM UTC

2
It's a good question that I hadn't thought about! I added a quick note to github.com/whatwg/html/issue… to discuss.
Replying to @bilcorry @mikewest
I originally suggested the top origin should control whether iframes are allowed to call SAA. But @hillbrad said in the WebAppSec meeting that that’ll make adoption take a long time.
3
Yeah. I believe @hillbrad suggested that requiring top-level opt-in would practically boil down to requiring third-party script to execute in the top-level context in order to delegate the permission. Retagging takes forever, as we're discovering with `allow`.