Some question came up in the Bluetooth API discussion at - given that a pairing permission is granted by the user on an origin basis (device to origin) should this be allowed when the request is made from an iFrame or only when the origin is visible to the user? Example: I grant skype.com to have access to my bluetooth speaker but then if I'm on Outlook.com and Outlook.com embeds a Skype.com iframe, should that have that be able to use my speaker?