Hi all,
Within the Geolocation Working Group we've been discussing a few
different methods of securing the location API, one of which is
described below by Doug Turner [1]:
On May 21, 2009, at 6:02 PM, Doug Turner wrote:
got some feedback on this. this isn't how it works today, but I
think it is the way it should work in the future. Even more so, I
have been considering restricting device apis (like geolocation) to
top level documents only and prevent iframes from accessing this
APIs. I did get some push back in Dec when I suggested this at our
w3c devices workshop (are the notes anywhere for this? thomas?).
This will break many of the sites like igoogle and others that embed
content from remote origins. However such sites, could use
something like PostMessage to explicitly send data.
Is this an overkill? Thoughts?
This seems like an idea on which both WebApps and the Device API and
Policy WG's would be interested in contributing to a discussion.
Already some members of those groups have already been contributing in
this thread [2]. (We're tracking this as ISSUE-9 [3])
Thank you,
-Matt Womer
[1] http://lists.w3.org/Archives/Public/public-geolocation/2009May/0053.html
[2] http://lists.w3.org/Archives/Public/public-geolocation/2009May/0055.html
[3] http://www.w3.org/2008/geolocation/track/issues/9
