reillyeon
commented
6 years ago No, it is not required. The history of this decision is covered in 3.2. Attacking a Device. At this point there shouldn't be any old versions of the spec floating around and all shipping versions of Chrome implement the same behavior.
karelbilek
I am not a little lost in the various versions of the draft and various Chrome versions.
Is now GET_ALLOWED_ORIGINS required, either for top-level access or for iframe access (or, in the future, in shared workers for example)? I cannot find it in the specs anymore, so it seems it is indeed not needed.