Closed johannhof closed 1 year ago
How would this not expose "storage-access" to permissions.query()
? As I mentioned before we shouldn't regress on the goals of #120 so that ought to be tackled at the same time.
How would this not expose "storage-access" to
permissions.query()
? As I mentioned before we shouldn't regress on the goals of #120 so that ought to be tackled at the same time.
I had hoped to tackle this problem as a separate follow-up but yeah, I can make a PR for permissions to add support for that and then we can add it to this PR.
@annevk if you're okay with this PR I think it would be good to merge given that the Permissions changes merged.
Thanks!
I'd just like to note on the record that there are still many issues with this Permissions integration, which actually makes it hard to tell if any of them are critical in some manner.
Ok, can we list them out for a moment (also to figure out if this PR needs to address any of them)? I'm aware of #144 and #143 (missing WPTs for observing permissions). What else were you thinking of?
The things I notice are mainly editorial, but given there's many it makes me worried I'm overlooking other things. It's not just this PR though.
I should make time to do a pass at one point.
Looking at the PR again I wonder if we were firmly settled on using origin for the embedded website?
Looking at the PR again I wonder if we were firmly settled on using origin for the embedded website?
So, I think we said that we could use origin for now but note that user agents have the liberty to auto-grant requests that have existing permissions with same-site embedees. Thinking about this now I think I actually prefer the (site, site) boundary now, as that would allow observers from adjacent same-site iframes to see the permission grant.
Depending on what @bvandersloot-mozilla thinks we could move to (site, site), but maybe we should do this in a follow-up to have the decision recorded explicitly?
I'm okay with setting (site, site) now, given the other discussions on preserving origin boundaries for security.
Ok, filed #147 for (site, site) and happy to follow-up with that.
I filed https://bugs.chromium.org/p/chromium/issues/detail?id=1401266 for Chromium supporting and WPTesting the Permissions API for storage-access.
(I seem to not have sufficient access to unresolve an issue. It's the first of the three threads above.)
I'll merge this now but will leave the follow-up bits unresolved in case you had something else in mind. :)
This is building on top of https://github.com/w3c/permissions/pull/390 to integrate SAA with permissions. It's deleting a lot of old manual state management but doesn't get rid of the (global) storage access map altogether, since that is done in the per-frame change being worked on by @cfredric.
This is a bit WIP just by virtue of the other change not having merged yet. I removed some of the references to the other spec to avoid the build from breaking.
test_driver.set_permission
in tests. We could follow up with tests that confirm that thestorage-access
feature is exposed via permissions APIs but that may need a separate spec change.Preview | Diff