contact-picker icon indicating copy to clipboard operation
contact-picker copied to clipboard

Published 20 hours ago verified publisher icon w3c

Restrict to top-level navigables

Open PaulKinlan opened this issue 6 years ago • 1 comments

It might be good to consider a feature policy on the main frame and also on iframes so that embedded sites can't just ask for access to the contacts address book if I as the site owner don't want to enable it.

For example on my blog I use 3rd party JS for comments and I am really not keen on given access to this API to that embed (or even if it runs in a 1st party context).

PaulKinlan avatar Nov 23 '18 15:11 PaulKinlan

Considering the sensitive nature of this API in terms of privacy, I suggest taking it a step further and restricting it to top-level frames only. There's precedent for this in other privacy sensitive APIs, such as Background Sync

rayankans avatar Apr 04 '19 16:04 rayankans