API for requesting explicit permission to ignore security policies


#1

There are Cloud IDEs that need full access to basically emulate browser tabs within their windowing system. Right now, if you’re developing a site that sends headers that doesn’t allow pages to be iframed, you can’t a preview of the site open within the page.

I understand the merit to not allowing a site to be silently iframed, as that opens up lots of potential exploits like clickjacking. However, there are some applications that look to legitimately provide a further level of chrome around the browser, in a way that a user would actually explicitly want.

I’m suggesting that there should be a function that can be called that will pop up a bar like the one for getting access to the user’s location or webcam, with a message like “http://example.com is requesting permission to open other websites.”


#2

Can you elaborate? What kind of chrome? Can’t this be achieved via browser extensions?


#3

Is it specifically about this header? How would the browser convey the potential for clickjacking attacks?


#4

The example I gave was of a preview frame in a web IDE. Another example might be a prototype / mockup for a new browser interaction paradigm (ie. one where each of your tabs/windows are presented spatially in a zoomable plane).

This could be achieved via browser extensions, but so could any other extended page behavior (like being able to access the filesystem). This is about discussing this as a cross-browser feature of the web platform.

I think something along the lines of “http://example.com is requesting permission to open other websites”, with a “more info” link and maybe text like “I trust this page” for the “Allow” button, could be enough. Most non-technical people I know would understand and reject “allow this page to open other websites” the same way as they reject “allow this page to see my location”.

That said, one of the things I’d look for in this thread is brainstorming ideas for more clear wording that could more effectively convey the potential dangers of allowing this permission (while still being concise enough for a one-sentence infobar, since users tend to ignore any warning longer than a sentence).


#5

Even just adding something to allow iframes to show mixed content would be enough to save the reddit toolbar.


#6

Both use cases mentioned could be handled by extensions I would rather work on standardising those between browsers than start adding back in warnings to the user.

I would rather not move back to the web where users need to know the answer to every security question possible.


Canvas "clear taint" permission
Can we get a "Security" category?