-
Notifications
You must be signed in to change notification settings - Fork 158
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Permissions-Policy limitations #519
Comments
Closing this out for now given we changed the default to |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
While the permissions policy comes with important security/anti-fraud benefits (prevent arbitrary third-parties from registering sources without the publisher’s knowledge), it comes with the following limitations for API users:
Limitations
For example, let's take an HTTPS deployed site, that embeds an ad iframe that looks like this:
page-that-redirects
redirects tofinal-destination
. So while the API is allowed in page-that-redirects, it's not allowed in final-destination. Repro here in IFRAME 7: https://shimmer-well-juravenator.glitch.me/.This can also happen in more subtle ways. e.g. redirecting from
https://a.com
tohttps://www.a.com
.Mitigations
src
, but I don't know how realistic this is in practice.The text was updated successfully, but these errors were encountered: