design-reviews#1050: Permissions Policy reports for iframes

#1050: Permissions Policy reports for iframes

Opened Feb 11, 2025

TAGの皆様、こんにちは!

I'm requesting a TAG review of Permissions Policy reports for iframes.

I'd like to introduce a new Permissions Policy violation type called Potential Permissions Policy violation, which will only look at Permissions Policy (including report-only policy) and the allow attribute set in iframes to detect the conflict between Permissions Policy enforced vs permissions propagated to iframes. The Potential Permissions Policy violation reports will be sent to embedder's reporting endpoint, instead of iframe's reporting endpoint.

Explainer: https://gist.github.com/shhnjk/48ca9d1c41e0eebed0f452bfd612d787
Specification: 1, 2
WPT Tests: https://github.com/web-platform-tests/wpt/pull/49978
User research:
Security and Privacy self-review: https://gist.github.com/shhnjk/9ef1f57f429b13c1c3acf3649fbf0bb0
GitHub repo: https://w3c.github.io/webappsec-permissions-policy/
Primary contacts:
- Jun Kokatsu (@shhnjk), Google, Implementer
- Ian Clelland (@clelland), Google, Permissions Policy Spec Editor
Organization/project driving the specification: Google
Multi-stakeholder support:
- Chromium comments: https://groups.google.com/a/chromium.org/g/blink-dev/c/3PMdpmPPXu0/m/3BnXkyVfDAAJ
- Mozilla comments: https://github.com/mozilla/standards-positions/issues/1164
- WebKit comments: https://github.com/WebKit/standards-positions/issues/448
Status/issue trackers for implementations: https://chromestatus.com/feature/5154241037205504

Further details:

I have reviewed the TAG's Web Platform Design Principles
Previous early design review, if any: N/A
Relevant time constraints or deadlines: I'd like to ship this soon
The group where the work on this specification is currently being done: WebAppSec
Major unresolved issues with or opposition to this specification:
This work is being funded by: Google

Discussions

Discussed Mar 31, 2025 (See Github)

Yoav: I looked at it... purpose is to warn ... permission polciies that are wrong... this is when the embedder is trying to delegate a permission they don't have access to... I haven't dug depeer than that.

revisit in C or in the plenary

Discussed May 19, 2025 (See Github)

Hadley: been digging into it… Anne’s really against it. He says it’s not solving a problem that needs to be solved…

Discussed May 19, 2025 (See Github)

Hadley: been digging into it… Anne’s really against it. He says it’s not solving a problem that needs to be solved…

Discussed Jun 2, 2025 (See Github)

DanA: We noted that Anne made an objection, via the WebKit standards position.

Hadley: I don't think the response to our first question is sufficient - it's not focused on the user need.

Jeffrey: when people are trying to roll out a resirtciton that helps users they have trouble rolling it out if they don't know if it's going to break...

Hadley: and what will break is...

DanA: Not sure if the objection is totally clear, but this seems to be out of our wheelhouse - seems if there was an objection, this shouldn't've been merged.

Jeffrey: The minutes are from 2024 (a year before the objection was raised) so I think they merged it appropriately, but it seems there is disagreement now, so our suggested course of action is to ask them to discuss it again in WebAppSec (before they bring it to us).

Hadley: Agree.

DanA: Happy to write up.

Hadley: Can say it's not our policy to intervene in working group discussions, unless the group brings us an issue that they can't resolve as a group, in which case we'd like to see both/all positions laid out clearly.

Dan commented