Re: Intent to ship: restrict access to request notification permissions from cross-origin iframes

2019-08-09 Thread Martin Thomson
This is a great move for improving transparency and accountability of
sites. Good work to all those who helped get us this far.

On Sat, 10 Aug. 2019, 01:02 Ehsan Akhgari,  wrote:

> Hi everyone,
>
> We currently allow cross-origin iframes to request notification
> permissions.  This is problematic because we'd like to move to a model
> where permissions are only requested for the top-level document’s origin in
> order to show non-address-bar origins as little to the user as possible.
> Therefore, in Firefox 70 I plan to land a change in bug 1560741[1] to deny
> such permission requests without showing a prompt.
>
> Chrome has announced this change over 2 years ago[2], but have yet to ship
> it.  Our telemetry for beta 68 shows that cross-origin use of this feature
> has very low usage[3] at around 0.02% of notification requests.
>
> We’ll also log a warning in the web console when denying the permission
> request because of this reason.
>
> Please let me know if you have any questions or concerns.
>
> Thanks,
> Ehsan
>
> [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1560741
> [2]
>
> https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/n37ij1E_1aY
> [3] https://mzl.la/2Mafa6q
> ___
> dev-platform mailing list
> dev-platform@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform
>
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform


Intent to ship: restrict access to request notification permissions from cross-origin iframes

2019-08-09 Thread Ehsan Akhgari
Hi everyone,

We currently allow cross-origin iframes to request notification
permissions.  This is problematic because we'd like to move to a model
where permissions are only requested for the top-level document’s origin in
order to show non-address-bar origins as little to the user as possible.
Therefore, in Firefox 70 I plan to land a change in bug 1560741[1] to deny
such permission requests without showing a prompt.

Chrome has announced this change over 2 years ago[2], but have yet to ship
it.  Our telemetry for beta 68 shows that cross-origin use of this feature
has very low usage[3] at around 0.02% of notification requests.

We’ll also log a warning in the web console when denying the permission
request because of this reason.

Please let me know if you have any questions or concerns.

Thanks,
Ehsan

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1560741
[2]
https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/n37ij1E_1aY
[3] https://mzl.la/2Mafa6q
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform