From: Boris Zbarsky [mailto:bzbar...@mit.edu]
> This particular example sets of alarm bells for me because of virtual hosting. Eek! Yeah, OK, I think it's best I refrain from trying to come up with specific examples. Let's forget I said anything... > As in, this seems like precisely the sort of thing that one browser might > experiment with, another consider an XSS security bug, and then we have > content that depends on a particular browser, no? My argument is that it's not materially different from existing permissions APIs. Sometimes the promise is rejected, sometimes it isn't. (Note that either outcome could happen without the user ever seeing a prompt.) The code works in every browser---some just follow the denied code path, and some follow the accepted code path. That's fine: web pages already need to handle that.