Skip to content

Add Permissions Policy integration with "allowed to use" check #59

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
MayyaSunil wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add Permissions Policy integration with "allowed to use" check #59

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
48 changes: 40 additions & 8 deletions index.bs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,9 @@ url: https://websockets.spec.whatwg.org/#concept-websocket-connection-obtain; ty
spec: WEBSOCKET; urlPrefix: https://websockets.spec.whatwg.org/
type: abstract-op;
text: WebSocket opening handshake; url: #websocket-opening-handshake
spec: HTML; urlPrefix: https://html.spec.whatwg.org/multipage/webappapis.html
type: dfn; for: global object
text: associated Document; url: #concept-document-window
</pre>

<pre class="biblio">
Expand Down Expand Up @@ -650,14 +653,43 @@ What follows is a sketch of a potential solution:
3. Set |error|'s [=response/IP address space=] property to
|connection|'s [=connection/IP address space=].

4. TODO: Permission check is sketched out below, wording is still vague
1. If the initiating origin has been granted the local
network access permission, return null.
2. If the initiating origin has been denied the local network
access permission, return |error|.
3. Otherwise, prompt the user:
1. If the user grants permission, return null.
2. If the user denies the permission, return |error|.
4. Let |settingsObject| be |request|'s [=request/client=].

5. Let |global| be |settingsObject|'s [=environment settings
object/global object=].

6. Let |document| be |global|'s [=global object/associated
Document=].

7. If |document| is null, then return |error|.

NOTE: This step will cause local network requests from Service
Workers to fail, as Service Workers do not always have an
associated Document. Future versions of this specification need
to define how to handle Workers, particularly since Permissions
Policy is not yet supported in Workers. See
[w3c/webappsec-permissions-policy#207](https://github.com/w3c/webappsec-permissions-policy/issues/207).

ISSUE: Define local network access behavior for Service Workers.

8. If |document| is not [=allowed to use=]
"local-network-access", then return |error|.
Copy link

@annevk annevk Nov 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This does seem to further cement using a single permission btw. Given the revived interest in #17 perhaps it's a bit weird to merge this as-is?

Copy link
Contributor Author

@MayyaSunil MayyaSunil Nov 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

right @annevk, as mentioned here my initial plan was to re-write this after #17 is resolved. After #17 is resolved we need to modify the spec text in a lot of places including here.


9. Let |permissionState| be the result of [=getting the current
permission state=] given "local-network-access" and |global|.

10. If |permissionState| is [=permission/denied=], then return
|error|.

11. If |permissionState| is [=permission/granted=], then return
null.

12. [=Prompt the user to choose=] whether to grant
"local-network-access" for |global|:

1. If the user grants permission, then return null.

2. If the user denies permission, then return |error|.
1. Return null.

1. The [$fetch$] algorithm is amended to add 2 new steps right after request’s
Expand Down