Mike West · Jan 15, 2018 · 7:38 AM UTC

Mike West

Mike West @mikewest

15 Jan 2018

This is an important change to the way permissions could work in Chrome. I think it’s a good change, but deserves thought and discussion. Feedback would be excellent.

Intent To Ship @intenttoship

15 Jan 2018

Blink: Intent to implement: Permission Delegation groups.google.com/a/chromium…

Bil Corry · Jan 15, 2018 · 4:15 PM UTC

Bil Corry · Jan 15, 2018 · 4:15 PM UTC

Bil Corry @bilcorry

15 Jan 2018

Replying to @mikewest

How does this square with @johnwilander Storage Access API? It allows iframes to ask for permissions from the user.

Jan 15, 2018 · 4:15 PM UTC

Mike West · Jan 15, 2018 · 4:55 PM UTC

Mike West @mikewest

15 Jan 2018

Replying to @bilcorry @johnwilander

It's a good question that I hadn't thought about! I added a quick note to github.com/whatwg/html/issue… to discuss.

John Wilander 🇺🇦 · Jan 15, 2018 · 4:30 PM UTC

John Wilander 🇺🇦 @johnwilander

15 Jan 2018

Replying to @bilcorry @mikewest

I originally suggested the top origin should control whether iframes are allowed to call SAA. But @hillbrad said in the WebAppSec meeting that that’ll make adoption take a long time.

Mike West · Jan 15, 2018 · 4:57 PM UTC

Mike West @mikewest

15 Jan 2018

Yeah. I believe @hillbrad suggested that requiring top-level opt-in would practically boil down to requiring third-party script to execute in the top-level context in order to delegate the permission. Retagging takes forever, as we're discovering with `allow`.