Closed rakuco closed 8 months ago
cc @anssiko @reillyeon, I've noticed this after finally taking a look at #126.
I see the "top-level and same-origin children" requirement as having been a stop-gap until the Permissions Policy controls were in place and the capability could be delegated to cross-origin children only when the top-level document opted-in.
I agree with your proposal.
I've just filed https://bugzilla.mozilla.org/show_bug.cgi?id=1878686 to let the Gecko developers know about these changes.
With the official integration of the Permissions Policy bits in #121, we now have contradicting requirements in the spec:
The same-origin requirement was added back in 2016 with #25, and it was implemented by Gecko in https://bugzilla.mozilla.org/show_bug.cgi?id=1197901 (change mirrored in https://github.com/mozilla/gecko-dev/commit/bdb1f6d5c64b200ce69afe4e2a764d20e59fd3b9).
As far as I can see, this requirement was never implemented in Blink, but it did add Permissions Policy integration in early 2018 (https://bugs.chromium.org/p/chromium/issues/detail?id=796894). When WebKit implemented this API a few years later, they did add Permissions Policy integration as well, so we have 2 engines implementing the Permissions Policy integration and 1 implementing the same-origin requirement.
My proposal is to remove that item from the S&P section and add a new item referring to the Permissions API and Permissions Policy integration requirements. The current Permissions Policy requirements (with features whose default allowlist is "self") acts as a superset of the original requirement -- AFAICS, an implementation that switches from one requirement to the other will continue allowing the exact same set of sites (and this is without taking the Permissions API integration into consideration).