TAGの皆様、こんにちは!

I'm requesting a TAG review of Permissions Policy reports for iframes.

I'd like to introduce a new Permissions Policy violation type called Potential Permissions Policy violation, which will only look at Permissions Policy (including report-only policy) and the allow attribute set in iframes to detect the conflict between Permissions Policy enforced vs permissions propagated to iframes. The Potential Permissions Policy violation reports will be sent to embedder's reporting endpoint, instead of iframe's reporting endpoint.

• Explainer: https://gist.github.com/shhnjk/48ca9d1c41e0eebed0f452bfd612d787
• Specification: 1, 2
• WPT Tests: https://github.com/web-platform-tests/wpt/pull/49978
• User research:
• Security and Privacy self-review: https://gist.github.com/shhnjk/9ef1f57f429b13c1c3acf3649fbf0bb0
• GitHub repo: https://w3c.github.io/webappsec-permissions-policy/
• Primary contacts:
  • Jun Kokatsu (@shhnjk), Google, Implementer
  • Ian Clelland (@clelland), Google, Permissions Policy Spec Editor
• Organization/project driving the specification: Google
• Multi-stakeholder support:
  • Chromium comments: https://groups.google.com/a/chromium.org/g/blink-dev/c/3PMdpmPPXu0/m/3BnXkyVfDAAJ
  • Mozilla comments: https://github.com/mozilla/standards-positions/issues/1164
  • WebKit comments: https://github.com/WebKit/standards-positions/issues/448
• Status/issue trackers for implementations: https://chromestatus.com/feature/5154241037205504

Further details:

• I have reviewed the TAG's Web Platform Design Principles
• Previous early design review, if any: N/A
• Relevant time constraints or deadlines: I'd like to ship this soon
• The group where the work on this specification is currently being done: WebAppSec
• Major unresolved issues with or opposition to this specification:
• This work is being funded by: Google