hillbrad
commented
9 years ago I think we could have a CSP directive that disabled the permission (even if previously enabled on the origin), and the ability to ask for it, on a resource-by-resource basis. I'm in the exact same situation as you and would love to be able to do that.
But placing a resource in a permission jail is different than trying to achieve a finer-grained permission API. Because the Same Origin Policy doesn't place security barriers between resources at the same origin, a path that is denied can always compel a path that is allowed to act as its deputy. So you can selectively deny, but you can't selectively grant.
On Mon, Apr 27, 2015 at 1:37 PM Andy Earnshaw notifications@github.com wrote:
I work for a large-scale adserving company who hosts third-party creatives on our CDN. One of the challenges we have at the moment is controlling the scope of the Permissions API. Consider the following case:
- User visits a website with an ad placement served from our CDN.
- User interacts with the ad, which wants to show him offers from local businesses close to him, asking to locate him via the Geolocation API.
- User disallows access to Geolocation API and stops interacting with the ad.
- Later, user visits another website with a different ad placement served from the same CDN.
- User interacts with the ad, which shows him a map with all the advertiser's retail stores as markers on the map.
- User repeatedly clicks the "locator" button on the map with frustration, but it has no effect because he already denied permissions to the Geolocation API earlier, and this applied to the entire CDN domain.
Given that, I'd like to suggest that a new directive could be implemented to change the scope of permissions from applying to an entire origin, to origin + path. For example, given the URL http://cdn.mydomain.com/1234567/12345/index.html, a relative or absolute path could be supplied. The following would be synonymous:
Content-Security-Policy: permissions-scope ../ Content-Security-Policy: permissions-scope /1234567/
Obviously an absolute URL would need to match the current origin and be part of the current path's tree. For our use case, this would scope the permissions to a specific campaign, so other campaigns would need to request permissions for themselves.
This could also be useful for other sites hosting third-party content, such as JSFiddle, CodePen, or eBay listings. Is this something that could be considered for the specification?
— Reply to this email directly or view it on GitHub https://github.com/w3c/webappsec/issues/312.
andyearnshaw
I work for a large-scale adserving company who hosts third-party creatives on our CDN. One of the challenges we have at the moment is controlling the scope of the Permissions API. Consider the following case:
Given that, I'd like to suggest that a new directive could be implemented to change the scope of permissions from applying to an entire origin, to origin + path. For example, given the URL http://cdn.mydomain.com/1234567/12345/index.html, a relative or absolute path could be supplied. The following would be synonymous:
Obviously an absolute URL would need to match the current origin and be part of the current path's tree. For our use case, this would scope the permissions to a specific campaign, so other campaigns would need to request permissions for themselves.
This could also be useful for other sites hosting third-party content, such as JSFiddle, CodePen, or eBay listings. Is this something that could be considered for the specification?