From: Jonas Sicking [mailto:jo...@sicking.cc]
> I agree with Anne. What Domenic describes sounds like something similar to > CORS. I.e. a network protocol which lets a server indicate that it trusts a > given > party. I think my point would have been stronger without the /.well-known protocol thingy. Removing that: Do you think it's acceptable for browser to experiment with e.g. auto-granting permission if the requested remoteAddress is equal to the IP address of the origin executing the API? Does that seem like current permission API conditions (i.e. not standardized), or more like CORS (standardized)? > However, in my experience the use case for the TCPSocket and UDPSocket > APIs is to connect to existing hardware and software systems. Like printers or > mail servers. Server-side opt-in is generally not possible for them. Right. My thrown-out-there idea was really just meant as an example of a potential experiment browsers could independently run on their own (like they do with other permissions today). It's not a proposal for the ultimate security model for this API.