Feature Policy shouldn't be overridable · Issue #357 · w3c/webappsec-permissions-policy (original) (raw)

Skip to content

Navigation Menu

• • GitHub Copilot Write better code with AI
  • GitHub Advanced Security Find and fix vulnerabilities
  • Actions Automate any workflow
  • Codespaces Instant dev environments
  • Issues Plan and track work
  • Code Review Manage code changes
  • Discussions Collaborate outside of code
  • Code Search Find more, search less
• Explore
  • Learning Pathways
  • Events & Webinars
  • Ebooks & Whitepapers
  • Customer Stories
  • Partners
  • Executive Insights
• • GitHub Sponsors Fund open source developers
  • The ReadME Project GitHub community articles
• • Enterprise platform AI-powered developer platform
• Pricing

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Sign up

Description

In current spec, setting feature-policy: geolocation 'self' in top-frame wouldn't restrict cross-origin iframe to request access to Geo location (e.g. <iframe allow="geolocation" src="https://cross-origin.tld"></iframe>). This has to change, in order to provide some mechanism to avoid leaking permission to cross-origin iframe (especially in the browser that supports Permission Delegation).