Add top-level origin check

[annevk]

Fixes #177.

• At least two implementers are interested (and none opposed):
  • …
  • …
• Tests are written and can be reviewed and commented upon at:
  • …
• Implementation bugs are filed:
  • Chromium: …
  • Gecko: …
  • WebKit: …
• MDN issue is filed: …
• The top of this comment includes a clear commit message to use.

(See WHATWG Working Mode: Changes for more details.)

[johannhof]

This seems to match Chrome's behavior, thanks

[annevk]

Do you happen to know if we have any test coverage for this?

[saschanaz]

What is "top level" here? HTML says "implementation defined"... Is it supposed to check the top window's origin?

Gecko blocks any request if a third party iframe is involved at all - ABA is also blocked. Per our telemetry nobody is doing ABA permission request and so far nobody complained.

[annevk]

It's implementation-defined for shared/service workers only so I guess your question is what should happen for shared workers since service workers are handled already? It's a good question and I'm not sure any of that is well-defined at the moment.

[saschanaz]

There's a tentative test https://wpt.fyi/results/notifications/cross-origin-nested.tentative.https.sub.html?label=experimental&label=master&aligned

[johannhof]

Interesting, Chrome should not fail these. I filed https://issues.chromium.org/498745938.

We can probably also make it non-tentative?