Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reference Permissions Policy for Cross-Origin iframe Support #233

Merged
merged 1 commit into from
Mar 16, 2022
Merged

Reference Permissions Policy for Cross-Origin iframe Support #233

merged 1 commit into from
Mar 16, 2022

Conversation

johannhof
Copy link
Contributor

I think there's a misconception in the explainer that PP would only be useful for per-page control. It actually supports both iframe and header controls. Assuming that the header feature is not harmful to FedCM, PP is the recommended way of adding new allow features, makes it easier for implementers to support and more versatile for web developers to work with.

@johannhof
Reference Permissions Policy for Cross-Origin iframe Support
def3657 
I think there's a misconception in the explainer that PP would only be useful for per-page control. It actually supports both iframe and header controls. Assuming that the header feature is not harmful to FedCM, PP is the recommended way of adding new `allow` features, makes it easier for implementers to support and more versatile for web developers to work with.
@johannhof
Copy link
Contributor Author

@samuelgoto @dj2 wdyt? :)

@johannhof
Copy link
Contributor Author

Oh, and, assuming this change is accepted I'm happy to update the spec as well. Maybe I should have filed an issue for this instead, apologies :)

npm1
npm1 approved these changes Mar 16, 2022
View reviewed changes
Copy link
Collaborator

@npm1 npm1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I actually was going to ask about this (I thought the right way would be Document Policy, but this seems correct if PP actually supports iframes). I agree with this PR :)

explainer.md
@@ -377,31 +377,24 @@ tokens = await cred.refresh({

The IDP calls for `refresh` have not been flushed out yet.

#### iframe Support
#### Cross-Origin iframe Support
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: Cross-origin?

dj2
dj2 approved these changes Mar 16, 2022
View reviewed changes
Copy link
Collaborator

@dj2 dj2 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, interesting. So the Policy turns on FedCM for a given page by setting it to 'self'. That doesn't inherit down to iframes. The iframe is then marked up as "allow=fedcm" which enables the policy in that iframe. That makes sense, and this lgtm.

@samuelgoto
Copy link
Collaborator

Looks great to me, thanks for the clarification! Accepting and merging (and yes, would love to accept a PR for the spec too if you can get to it!!)!!

@samuelgoto samuelgoto merged commit 33a1bac into w3c-fedid:main Mar 16, 2022
github-actions bot added a commit that referenced this pull request Mar 16, 2022
@johannhof @github-actions
Reference Permissions Policy for Cross-Origin iframe Support (#233)
66e21c6 
SHA: 33a1bac
Reason: push, by @samuelgoto

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
johannhof added a commit to johannhof/FedCM that referenced this pull request Mar 24, 2022
@johannhof
Use Permissions Policy instead of sameOriginWithAncestors
2d51d66 
See rationale here:
w3c-fedid#233 (comment)
@johannhof johannhof mentioned this pull request Mar 24, 2022
Merged
@johannhof johannhof deleted the patch-1 branch August 3, 2022 13:09
johannhof added a commit to johannhof/FedCM that referenced this pull request Aug 4, 2022
@johannhof
Use Permissions Policy instead of sameOriginWithAncestors
7094b1a 
See rationale here:
w3c-fedid#233 (comment)
johannhof added a commit to johannhof/FedCM that referenced this pull request Aug 4, 2022
@johannhof
Use Permissions Policy instead of sameOriginWithAncestors
516b53e 
See rationale here:
w3c-fedid#233 (comment)
johannhof added a commit to johannhof/FedCM that referenced this pull request Aug 4, 2022
@johannhof
Use Permissions Policy instead of sameOriginWithAncestors
b4cfabf 
See rationale here:
w3c-fedid#233 (comment)
samuelgoto pushed a commit that referenced this pull request Aug 16, 2022
@johannhof
Use Permissions Policy instead of sameOriginWithAncestors (#236)
9c05a08 
* Use Permissions Policy instead of sameOriginWithAncestors

See rationale here:
#233 (comment)

* Update feature name based on feedback
cbiesinger pushed a commit to cbiesinger/WebID that referenced this pull request Oct 7, 2022
@johannhof @cbiesinger
Reference Permissions Policy for Cross-Origin iframe Support (w3c-fed…
61db4ed 
…id#233)

I think there's a misconception in the explainer that PP would only be useful for per-page control. It actually supports both iframe and header controls. Assuming that the header feature is not harmful to FedCM, PP is the recommended way of adding new `allow` features, makes it easier for implementers to support and more versatile for web developers to work with.
cbiesinger pushed a commit to cbiesinger/WebID that referenced this pull request Oct 7, 2022
@johannhof @cbiesinger
Use Permissions Policy instead of sameOriginWithAncestors (w3c-fedid#236
b25c715 
)

* Use Permissions Policy instead of sameOriginWithAncestors

See rationale here:
w3c-fedid#233 (comment)

* Update feature name based on feedback
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@npm1 npm1 npm1 approved these changes

@dj2 dj2 dj2 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@johannhof @samuelgoto @dj2 @npm1