Open annevk opened 5 years ago
When A delegates to B, B can share the permission with whoever it wants.
True, that was by design, since b could (in most cases) just proxy data to C if it was interested in doing something nefarious anyway. By delegating to B, a is expressing a degree of trust in B that it will use the features responsibly, and that includes being able to further delegate as required.
And if B wants to protect A from B being navigated to C, it has to rely on A getting it right.
I'm not sure I follow -- does B need to protect A? A, by delegating to B specifically, is just saying "I trust B, and B can delegate further if it needs to, but if the frame ends up hosting content that neither I nor B have delegated the permission to, then it doesn't get the permission"
In general I'd also expect B to open popups instead and not navigate the frame as that's not something that's well-understood and works poorly on mobile.
In what way is it not well-understood? B only has to include an <a>
element in order for the frame to be navigated. Is it that the back/forward history navigation gets more complex in that case?
B does not need to protect A, but if it wants to there are no tools. It was mostly meant to indicate that this functionality isn't really serving B either.
And I meant that navigation of frames is not well-understood by users and likely avoided by a third-party service.
I figured I'd raise https://github.com/w3c/webappsec-feature-policy/issues/230#issuecomment-519525216 in a new issue.
When A delegates to B, B can share the permission with whoever it wants. So A is not protected from B, if it decides to delegate. And if B wants to protect A from B being navigated to C, it has to rely on A getting it right. In general I'd also expect B to open popups instead and not navigate the frame as that's not something that's well-understood and works poorly on mobile.
So I don't think the rather complicated model we have today is really justified and therefore I'd rather only support feature/permission identifiers and not https://w3c.github.io/webappsec-feature-policy/#allow-list.
cc @bzbarsky @clelland