On 2015-03-12 12:57 PM, Boris Zbarsky wrote:
On 3/12/15 12:19 PM, Ehsan Akhgari wrote:
(Note that the
fullscreen API cannot be used outside of user generated event handlers.)
Oh, good point. That helps a lot, yes.
So do you think it makes sense to restrict iframes requesting certain
permissions?
The downside is that there are probably legit use cases for iframes
requesting some permissions too, for example it's very common for an
iframe to request fullscreen (e.g. the vimeo video embedding iframes.)
One could envision map widgets implemented as iframes which may want to
geolocate, or Google Hangout/Firefox Hello widgets that let you embed a
video chat service in your website.
Another concern with persisting permissions requested from iframes is
that it's possible to conceive of a TLS website (such as
https://geolocator.com) hosting a widget that for example geolocates you
and window.parent.postMessage()'s the info to the embedder. If
http://goodguy.com embeds this kind of widget in a real mapping app and
the user chooses to grant geolocator.com a persistent permission to
geolocate anywhere (presumably because they trust goodguy.com) and then
evil.com can come around and embed the same widget in a possibly
invisible iframe and profit. Although I'm not sure how realistic this
attack is...
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
