WHATWG on 2025-09-03

11:59	<Simon☀️>	I am staring at this part of the permission policy spec: https://www.w3.org/TR/permissions-policy-1/#declared-origin - it seems to imply that an iframe uses its src attribute to determine its "declared origin" and I don't understand how this makes sense, given that an iframe can be navigated and src won't change.
12:00	<Simon☀️>	The declared origin concept is intended to represent the origin of the document which the embedding page intends to load into a frame. This means, for instance, that if the browser does not support the sandbox or srcdoc attributes, it should not take those attributes into account when computing the declared origin.
12:01	<Simon☀️>	If a page denies a frame access to e.g. geolocation, the frame shouldn't be able to get around it by navigating, right?
14:23	<zcorpan>	Simon☀️: https://w3c.github.io/webappsec-permissions-policy/#declared-origin is the editor's draft But yeah, it uses the origin of the URL in `src` if `src` is present. Even if the frame has been navigated elsewhere.
14:27	<zcorpan>	Simon☀️: https://w3c.github.io/webappsec-permissions-policy/#algo-process-policy-attributes is the relevant caller
14:42	<smaug>	hmm, window.location = "foo"; consumes transient activation in Chrome. I wonder why