Is that how browser permissions work? Naively I’d assume the browser grants only search.google.com permissions on that url, even if maps.google.com is opened as an iframe.
It's been ages since I've played with iframes, but I'm pretty sure it does (or at least did?). You might have to specify an allow policy [0] but that's no problem if you control both sides. Since iframes are secure, data wouldn't leak unless the iframe explicitly posts it.
I don't know if you can request permissions from the iframe (might confuse people), but if you already have them, it ought to be fine.
Thanks for the docs. The examples (2 & 3, https://github.com/w3c/webappsec-permissions-policy/blob/mai...) seem to me to say that search.google.com can’t grant location permissions to an iframe if the parent was forbidden them, but I didn't find an explicit example for what happens if the iframe domain already got permission previously.
As you say the UI for requesting in this case would be weird, and this seems like a big security hole to me, but I can’t see a bit of the spec that explicitly forbids (though I only scanned the doc.)
