Closed aromalanil closed 1 month ago
Yes, in this case, the https://game.com/ subframe is allowed to delegate the geolocation permission to https://work.com. Permissions-policy uses origins for comparison, and https://resources.game.com and https://work.com are both cross-origin to https://game.com.
@clelland Thanks for the clarification. In this case wouldn't it be better to use URLs that are not subdomain for the example, to avoid the confusion if this is only applicable for subdomains.
Description
In the 4th example of Permission Policy "Policy only directly affects child frame", the senerio mentioned is
geolocation
permission to "game.com"geolocation
access.In this scenario it is mentioned that "game.com" can allocate permission to the "resources.game.com", as a trusted subframe is able to delegate access to a feature to one of its subframes.
Question
Will this happen when the subframe is of a cross-domain?
In the given scenario, the "resources.game.com" is a sub-domain of the frame "game.com". Will this also work if the subframe was of a cross domain, let say "work.com"
example.com
game.com