By construction, they have to trust the host page at least as much as they trust any gadget in the page, for any meaning of "trust". So if the wants the gadget to have geo access, they necessarily want the host page to have geo access. Once the host page has geo access, you can mediate the gadget access with a popup dialog.
On Sun, Aug 18, 2013 at 9:55 AM, <[email protected]> wrote: > > Comment #4 on issue 1815 by felix8a: please allow navigator.geolocation > http://code.google.com/p/google-caja/issues/detail?id=1815 > > Part of Caja's intent is to allow mutually distrustful code to run on the > same page, which means they're considered to be the same domain by the > browser. The browser's geolocation policy is applied per-domain, so saying > "yes" to geolocation for one untrusted gadget would be saying yes to > geolocation for all untrusted gadgets, which is probably not what people > want. > > In some cases it's possible for a container to use Caja in a way such that > every untrusted gadget is in a unique domain, so that saying yes to one > untrusted gadget does not also mean yes for every untrusted gadget. For > situations like that, Caja could expose a container policy flag that means > "I'm also sandboxing with unique domains so you can allow features like > geolocation". > > > -- > You received this message because this project is configured to send all > issue notifications to this address. > You may adjust your notification preferences at: > https://code.google.com/hosting/settings > > -- > > ---You received this message because you are subscribed to the Google Groups > "Google Caja Discuss" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- Mike Stay - [email protected] http://www.cs.auckland.ac.nz/~mike http://reperiendi.wordpress.com -- --- You received this message because you are subscribed to the Google Groups "Google Caja Discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
