Query: Can trusted subframe allocate permission to one of it's cross-domain subframe

[aromalanil]

Description

In the 4th example of Permission Policy "Policy only directly affects child frame", the senerio mentioned is

• "example.com" embeds an iframe "game.com" and allow geolocation permission to "game.com"
• "game.com" integrated an iframe "resources.game.com" inside "game.com" and allow geolocation access.

In this scenario it is mentioned that "game.com" can allocate permission to the "resources.game.com", as a trusted subframe is able to delegate access to a feature to one of its subframes.

Question

Will this happen when the subframe is of a cross-domain?

In the given scenario, the "resources.game.com" is a sub-domain of the frame "game.com". Will this also work if the subframe was of a cross domain, let say "work.com"

example.com

<iframe src="https://game.com/" allow="geolocation"></iframe>

game.com

<iframe src="https://work.com/" allow="geolocation"></iframe>

[clelland]

Yes, in this case, the https://game.com/ subframe is allowed to delegate the geolocation permission to https://work.com. Permissions-policy uses origins for comparison, and https://resources.game.com and https://work.com are both cross-origin to https://game.com.

[aromalanil]

@clelland Thanks for the clarification. In this case wouldn't it be better to use URLs that are not subdomain for the example, to avoid the confusion if this is only applicable for subdomains.