whatwg
Restrict use of Notification.requestPermission to secure contexts.
I'd also like to augment the secure context restriction with a top-level context restriction, i.e. Notification.requestPermission returns "denied" for non-secure and non-top-level contexts. Chrome shipped both of these restrictions in tandem.
I can pull the top-level discussion out to a separate PR (and pull it out of the corresponding WPT at https://github.com/w3c/web-platform-tests/pull/6596) if so desired, but it would be nice to combine them.
If Notification.permission is to return "denied" by default, we also need to update the algorithm of its getter. Otherwise it would only return "denied" if you first invoked requestPermission(). (We should probably test that too.)
Do you mean cross-origin non-top-level contexts or non-top-level contexts in general? We should probably do that as a separate change and couple it with Feature Policy somehow.
