From 97afb135474e866b3e90d1bf337fdb8db035fb01 Mon Sep 17 00:00:00 2001 From: Jan-Ivar Bruaroey Date: Fri, 10 May 2024 16:29:41 -0400 Subject: [PATCH 1/6] Add two "JS playground" examples. --- index.bs | 34 +++++++++++++++++++++++++++++++++- 1 file changed, 33 insertions(+), 1 deletion(-) diff --git a/index.bs b/index.bs index 745a4a3c..f61d7e4f 100644 --- a/index.bs +++ b/index.bs @@ -123,7 +123,7 @@ spec: RFC8941; urlPrefix: https://datatracker.ietf.org/doc/html/rfc8941# will actually be granted the ability to use that API.

-

SecureCorp Inc. restructured its domains and now needs to needs to delegate +

SecureCorp Inc. restructured its domains and now needs to delegate use of the Geolocation API to its origin ("https://example.com") as well as three subdomains ("https://geo.example.com", "https://geo2.example.com", and "https://new.geo2.example.com"). @@ -163,6 +163,38 @@ spec: RFC8941; urlPrefix: https://datatracker.ietf.org/doc/html/rfc8941# to use the Geolocation API, but any other ports on "https://example.com" could use it too.

+
+

JSPlaygroundCorp Inc. wants to host user-generated web applications, but wants the + browser to manage their permissions to use powerful features in isolation of each other. + This can be accomplished by creating discrete subdomains for each piece of web-content + or web-content creator, and navigating them as top-level documents (framework and + user-content can still be separated using same-origin iframes). + + JSPlaygroundCorp should avoid iframing the web-content using the "allow" + attribute from its own domain. +

+
+

PlatformCorp Inc. wants to offer a marketplace of embeddable third-party components + to build from or games to play. It wants to delegate + the use of powerful features like the getUserMedia API responsibly. It keeps + track of which components need a feature, using bespoke "install" UX to keep end-users + in charge.

+

Camera and microphone are disabled by default in all cross-origin frames. + Each third-party component has a subdomain, and can be embedded in a + cross-origin iframe. PlatformCorp can use the "allow" attribute on + the iframe element to control whether to delegate camera or microphone access or + not to each subdomain. + An iframe where "plugin1" and "plugin3" should have camera access and "plugin2" + should have microphone access might look like this: + 

+    <iframe
+     allow="camera //plugin1.site.com //plugin3.site.com; microphone //plugin2.site.com"
+            src="//doc1.site.com" sandbox="allow-same-origin allow-scripts"></iframe>
+
+

Iframe attributes can selectively enable features in certain frames, and + not in others, even if those contain documents from the same origin. + The list of sandbox tokens might be longer in practice.

+
From 79cdd0510fbc4239491b45b1dfd96118b35c8f39 Mon Sep 17 00:00:00 2001 From: Jan-Ivar Bruaroey Date: Thu, 20 Jun 2024 12:19:16 -0400 Subject: [PATCH 2/6] link to powerful features MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Marcos Cáceres --- index.bs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.bs b/index.bs index f61d7e4f..62dc2985 100644 --- a/index.bs +++ b/index.bs @@ -165,7 +165,7 @@ spec: RFC8941; urlPrefix: https://datatracker.ietf.org/doc/html/rfc8941#

JSPlaygroundCorp Inc. wants to host user-generated web applications, but wants the - browser to manage their permissions to use powerful features in isolation of each other. + browser to manage their permissions to use [=powerful features=] in isolation of each other. This can be accomplished by creating discrete subdomains for each piece of web-content or web-content creator, and navigating them as top-level documents (framework and user-content can still be separated using same-origin iframes). From 72c3f933f1cf096e53c3bede94fa319740f9edd3 Mon Sep 17 00:00:00 2001 From: Jan-Ivar Bruaroey Date: Thu, 20 Jun 2024 12:20:35 -0400 Subject: [PATCH 3/6] link to [=same origin=] MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Marcos Cáceres --- index.bs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.bs b/index.bs index 62dc2985..b9c87b15 100644 --- a/index.bs +++ b/index.bs @@ -192,7 +192,7 @@ spec: RFC8941; urlPrefix: https://datatracker.ietf.org/doc/html/rfc8941# src="//doc1.site.com" sandbox="allow-same-origin allow-scripts"></iframe>

Iframe attributes can selectively enable features in certain frames, and - not in others, even if those contain documents from the same origin. + not in others, even if those contain documents from the [=same origin=]. The list of sandbox tokens might be longer in practice.

From 6f9c4a3b18741cd071ad69f63d900310b909652f Mon Sep 17 00:00:00 2001 From: Jan-Ivar Bruaroey Date: Thu, 20 Jun 2024 15:24:08 -0400 Subject: [PATCH 4/6] Integrate feedback and rephrease parts --- index.bs | 35 +++++++++++++++++++++-------------- 1 file changed, 21 insertions(+), 14 deletions(-) diff --git a/index.bs b/index.bs index b9c87b15..da9c6ad3 100644 --- a/index.bs +++ b/index.bs @@ -23,6 +23,7 @@ spec:html; type:element; text:link spec:fetch; type:dfn; text:name spec:fetch; type:dfn; text:value spec:infra; type:dfn; text:list +spec:permissions; type:dfn; text:feature 
 spec:payment-request; urlPrefix: https://w3c.github.io/payment-request/
@@ -170,25 +171,31 @@ spec: RFC8941; urlPrefix: https://datatracker.ietf.org/doc/html/rfc8941#
     or web-content creator, and navigating them as top-level documents (framework and
     user-content can still be separated using same-origin iframes).
 
-    JSPlaygroundCorp should avoid iframing the web-content using the "allow"
-    attribute from its own domain.
+    This is necessary since users grant permissions to the domain they perceive they
+    are interacting with in the browser, which is the top-level domain.
+
+    JSPlaygroundCorp should avoid iframing user-generated web applications using the
+    <{iframe/allow}> attribute from its own domain in this case, as this would grant
+    its domain permissions to all of them.
   
   

-    
PlatformCorp Inc. wants to offer a marketplace of embeddable third-party components
-    to build from or games to play. It wants to delegate
-    the use of powerful features like the getUserMedia API responsibly. It keeps
-    track of which components need a feature, using bespoke "install" UX to keep end-users
-    in charge.

+    
PlatformCorp Inc. wants to offer a marketplace of embeddable third-party
+    components to build from or games to play under its top-level domain. It wants to
+    delegate the use of [=powerful features=] like the {{MediaDevices/getUserMedia()}}
+    API responsibly. It accepts responsibility for tracking which of its component
+    applications need a feature, using bespoke "install" UX to keep end-users in
+    charge.

     
Camera and microphone are disabled by default in all cross-origin frames.
     Each third-party component has a subdomain, and can be embedded in a
-    cross-origin iframe. PlatformCorp can use the "allow" attribute on
-    the iframe element to control whether to delegate camera or microphone access or
-    not to each subdomain.
-    An iframe where "plugin1" and "plugin3" should have camera access and "plugin2"
-    should have microphone access might look like this:
+    cross-origin iframe. PlatformCorp can use the <{iframe/allow}> attribute on
+    the <{iframe}> element to control whether to delegate camera or microphone
+    access or not to each subdomain. If the user already trusts PlatformCorp then
+    there might be no additional permission prompt in this case.
+
+    An iframe where the component "app1" should have camera access, "app2" should
+    have microphone access, and "app3" should have both might look like this:
     
-    <iframe
-     allow="camera //plugin1.site.com //plugin3.site.com; microphone //plugin2.site.com"
+    <iframe allow="camera //app1.site.com //app3.site.com; microphone //app2.site.com"
             src="//doc1.site.com" sandbox="allow-same-origin allow-scripts"></iframe>
     

     
Iframe attributes can selectively enable features in certain frames, and

From 8a3de8f3ff758e209ffcf109e0f02d6bb993d5d3 Mon Sep 17 00:00:00 2001
From: Jan-Ivar Bruaroey 
Date: Thu, 20 Jun 2024 15:33:33 -0400
Subject: [PATCH 5/6] Move note about permission prompt last

---
 index.bs | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/index.bs b/index.bs
index da9c6ad3..5775b27c 100644
--- a/index.bs
+++ b/index.bs
@@ -189,8 +189,7 @@ spec: RFC8941; urlPrefix: https://datatracker.ietf.org/doc/html/rfc8941#
     Each third-party component has a subdomain, and can be embedded in a
     cross-origin iframe. PlatformCorp can use the <{iframe/allow}> attribute on
     the <{iframe}> element to control whether to delegate camera or microphone
-    access or not to each subdomain. If the user already trusts PlatformCorp then
-    there might be no additional permission prompt in this case.
+    access or not to each subdomain.
 
     An iframe where the component "app1" should have camera access, "app2" should
     have microphone access, and "app3" should have both might look like this:
@@ -201,6 +200,8 @@ spec: RFC8941; urlPrefix: https://datatracker.ietf.org/doc/html/rfc8941#
     
Iframe attributes can selectively enable features in certain frames, and
     not in others, even if those contain documents from the [=same origin=].
     The list of sandbox tokens might be longer in practice.

+    
If the user already trusts PlatformCorp then
+    there might not be any additional permission prompt in this case.

   

 
 


From 8075bc024f91a1c2ed5e60d0c0d20f6abacf2638 Mon Sep 17 00:00:00 2001
From: Jan-Ivar Bruaroey 
Date: Wed, 26 Jun 2024 15:36:07 -0400
Subject: [PATCH 6/6] Fix example and add feedback to paragraph on prompts

---
 index.bs | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/index.bs b/index.bs
index 5775b27c..99444fe8 100644
--- a/index.bs
+++ b/index.bs
@@ -194,14 +194,20 @@ spec: RFC8941; urlPrefix: https://datatracker.ietf.org/doc/html/rfc8941#
     An iframe where the component "app1" should have camera access, "app2" should
     have microphone access, and "app3" should have both might look like this:
     
-    <iframe allow="camera //app1.site.com //app3.site.com; microphone //app2.site.com"
-            src="//doc1.site.com" sandbox="allow-same-origin allow-scripts"></iframe>
+    <iframe
+      allow="camera https://app1.site.com https://app3.site.com;
+             microphone https://app2.site.com https://app3.site.com"
+      src="https://doc1.site.com"
+      sandbox="allow-same-origin allow-scripts">
+    </iframe>
     

     
Iframe attributes can selectively enable features in certain frames, and
     not in others, even if those contain documents from the [=same origin=].
     The list of sandbox tokens might be longer in practice.

-    
If the user already trusts PlatformCorp then
-    there might not be any additional permission prompt in this case.

+    
Since browsers generally ask users to grant permissions to the top-level
+    domain, there might not be any additional permission prompt for the
+    components to request camera or microphone access if the user already
+    trusts PlatformCorp.