annevk
commented
8 months ago It's very normal to require user interaction in order to be able to display a dialog to the user. Most permission dialogs work this way.
Closed jcubic closed 8 months ago
annevk
commented
8 months ago It's very normal to require user interaction in order to be able to display a dialog to the user. Most permission dialogs work this way.
I think that this is a little bit overreacted (not sure how to call it) to require the function to be triggered from user action. AFAIK functions that require user action don't show any UI like mobile with Video play() method. But here there is a modal popup (part of the browser interface) where the user needs to give permission to allow the use of Storage API.
So I think this is not needed, one of those can go away and I don't think that it will risk any security problems. I personally think that the permission dialog is needed but I don't think that you need user interaction, especially from an iframe. Also, note that if someone really wants he can use Clickjacking techniques to convince the user to click on the button to trigger the action. This gives no security of any kind.
So I would just get rid of the requirement of user interaction from the implementation.
What do you think?
Asked here first: https://github.com/arichiv/saa-non-cookie-storage/issues/9