--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
--
--
Chromium Developers mailing list: chromi...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-dev
Hi Raymes et al,I have a few questions:
1. Are there any signals from other browser vendors about the proposal? What's the cross-browser compatibility path here?
2. What would be the best way for the developers of the embedded site to add a feature if it requires a new permission?It seems like they can just provide an HTML snippet that would delegate all the permissions and even add them using the proposed JS API. Otherwise they might have to chase all the embedders to update their sites. Is there a better option? Do we envision these permissions go away with time like currently planned for fullscreen and mouse lock or do we think there will be more?
3. What about other per-frame features that might show the frame origin in similar contexts (notifications, EME, device pickers, etc)?
4. Do we know what's the usage patterns are and how the proposed changes will affect them? In other words are the worrying examples given (e.g. with Amex) common or not?
I think this is a bit hostile. Example -The user does not trust Microsoft, but a website they do trust embeds a WebRTC based Microsoft experience for support calls.Permitting the top level website access to the user media implies permitting Microsoft that same access automatically.
Hey Anton, thanks for your comments! See replies inline.Thanks!RaymesOn Wed, 3 Feb 2016 at 21:59 Anton Vayvod <ava...@chromium.org> wrote:Hi Raymes et al,I have a few questions:
1. Are there any signals from other browser vendors about the proposal? What's the cross-browser compatibility path here?No, but I'm glad it's being discussed now :) Note that even at present we don't have consistency of iframe permission behavior across browsers (this is outlined in the doc). It's not exactly clear what parts of the proposal we would want to put into a specification. The delegation API certainly requires a spec (which we are working on) but that can be treated orthogonally to the scoping behavior/UI. We will definitely be reaching out to discuss this more with other browsers.
2. What would be the best way for the developers of the embedded site to add a feature if it requires a new permission?It seems like they can just provide an HTML snippet that would delegate all the permissions and even add them using the proposed JS API. Otherwise they might have to chase all the embedders to update their sites. Is there a better option? Do we envision these permissions go away with time like currently planned for fullscreen and mouse lock or do we think there will be more?This is a good question. The trust decision for an iframe is transferred from the user to the top level website. So it is always the responsibility of the top level website to decide what permissions it is comfortable sharing to the iframe. If an iframe'd website changes what permissions it uses, it's not necessarily a bad thing that the embedder has to change. The website owner is making a decision about whether they trust the iframe'd origin with the new permission.If an embedded website chooses to offer a snippet that delegates all permissions, it's up to the website owner pasting that snippet whether they are comfortable with that - they choose whether or not to trust the snippet. People can offer snippets to do all sorts of things on someone elses origin and there isn't much we can do about that.In reality, I think trustworthy websites will be careful about what snippets they paste into their website and limit delegated permissions to those they are comfortable with. Untrustworthy websites may not be careful about this, but a user also isn't as likely to trust them when granting a permission. Similarly, trustworthy developers offering code snippets will be mindful of their embedders and not unnecessarily try to delegate permissions that they know they won't need.
3. What about other per-frame features that might show the frame origin in similar contexts (notifications, EME, device pickers, etc)?Hmm, I'm not sure exactly what you mean here? The proposal would apply to all features which require permission including device pickers. The proposal does not apply to permissions granted for use in the background, such as push notifications.
4. Do we know what's the usage patterns are and how the proposed changes will affect them? In other words are the worrying examples given (e.g. with Amex) common or not?We aren't aware of many other examples of such behavior (at most one). We do know that usage of permissions in iframes is already very low and within the deprecation range (see the doc for details). Also, we will go through the regular deprecation process, including showing console warnings and instructions for how embedders can be updated for at least one milestone.
Hi Raymes,Thanks for the replies. Comments below:On Thu, Feb 4, 2016 at 5:23 AM, Raymes Khoury <ray...@chromium.org> wrote:Hey Anton, thanks for your comments! See replies inline.Thanks!RaymesOn Wed, 3 Feb 2016 at 21:59 Anton Vayvod <ava...@chromium.org> wrote:Hi Raymes et al,I have a few questions:
1. Are there any signals from other browser vendors about the proposal? What's the cross-browser compatibility path here?No, but I'm glad it's being discussed now :) Note that even at present we don't have consistency of iframe permission behavior across browsers (this is outlined in the doc). It's not exactly clear what parts of the proposal we would want to put into a specification. The delegation API certainly requires a spec (which we are working on) but that can be treated orthogonally to the scoping behavior/UI. We will definitely be reaching out to discuss this more with other browsers.I've seen the comparison. As I see it, all browsers listed but Chrome (and Chromium-based Opera), have very similar per-frame model with little deviations compared to the current and even more the proposed model in Chrome. The document even highlights it with "similar to Firefox".
2. What would be the best way for the developers of the embedded site to add a feature if it requires a new permission?It seems like they can just provide an HTML snippet that would delegate all the permissions and even add them using the proposed JS API. Otherwise they might have to chase all the embedders to update their sites. Is there a better option? Do we envision these permissions go away with time like currently planned for fullscreen and mouse lock or do we think there will be more?This is a good question. The trust decision for an iframe is transferred from the user to the top level website. So it is always the responsibility of the top level website to decide what permissions it is comfortable sharing to the iframe. If an iframe'd website changes what permissions it uses, it's not necessarily a bad thing that the embedder has to change. The website owner is making a decision about whether they trust the iframe'd origin with the new permission.If an embedded website chooses to offer a snippet that delegates all permissions, it's up to the website owner pasting that snippet whether they are comfortable with that - they choose whether or not to trust the snippet. People can offer snippets to do all sorts of things on someone elses origin and there isn't much we can do about that.In reality, I think trustworthy websites will be careful about what snippets they paste into their website and limit delegated permissions to those they are comfortable with. Untrustworthy websites may not be careful about this, but a user also isn't as likely to trust them when granting a permission. Similarly, trustworthy developers offering code snippets will be mindful of their embedders and not unnecessarily try to delegate permissions that they know they won't need.Do we know how much of useful content on the web is being actively maintained by web developers? Do we know how many of those websites and developers are trustworthy? I don't have the data and doubt it's easy to get but I have a feeling that a big chunk of the web is left out with this position.
3. What about other per-frame features that might show the frame origin in similar contexts (notifications, EME, device pickers, etc)?Hmm, I'm not sure exactly what you mean here? The proposal would apply to all features which require permission including device pickers. The proposal does not apply to permissions granted for use in the background, such as push notifications.The proposal only lists a few permissions it will apply to. There're other cases where the UA would show some kind of prompt or dialog saying "foo.com wants to do X" and user can dismiss the dialog or pick the action. If the proposal is going to apply to all of those, the usage and potential problems need to be assessed as iframes will be limited even more.
4. Do we know what's the usage patterns are and how the proposed changes will affect them? In other words are the worrying examples given (e.g. with Amex) common or not?We aren't aware of many other examples of such behavior (at most one). We do know that usage of permissions in iframes is already very low and within the deprecation range (see the doc for details). Also, we will go through the regular deprecation process, including showing console warnings and instructions for how embedders can be updated for at least one milestone.Relying only on usage counters can be dangerous (an example from the past where the usage was low but it broke many websites on one platform: https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/Bxe7DnDVRZ0/discussion).Have you reached out to at least big properties that are embedded often? I hope getting reasonable feedback from Web developers with a lot at stake will be part of the decision making.