Should we allow frames/iframes to use permission prompt to relax mixed content check?

[iVanlIsh]

The permission prompt would be restricted to top-level document only in the first stage. However, we are still open for opinions here. Here are some alternative options:

1. Allow same-origin sub-frames to inherit permissions from top-level document.
2. Allow same-site sub-frames to inherit permissions from top-level document.
3. Create a new permission policy to let top-level document to decide if sub-frames are able to inherit the permissions or not. ( In this case, we are still open for a default behavior and the boundary of permission policy for private network access. )
4. Sub-frames are allowed to gain their own permissions. ( This option might create confusing UX and have security concerns that the data could be leak to top-level documents as well as other sibling frames. Alternatively for the later one, we can trying to relax it only on anonymous iframes or similar situations. )

[letitz]

AIUI, you are reconsidering this stance, right? We have identified a need to support the permission in cross-origin iframes?

[letitz]

The latest thinking here is to define a permission policy for local network access, so top level frames can allow subframes to request permission.