From 43a37cc466f88daf0044ff840832f3b5c0e50e8b Mon Sep 17 00:00:00 2001
From: Jeffrey Yasskin <jyasskin@google.com>
Date: Fri, 22 Dec 2017 11:32:29 -0800
Subject: [PATCH] Editorial: Discuss how query() makes abuse harder to detect.

---
 index.html | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/index.html b/index.html
index 99d656d..009cf4c 100644
--- a/index.html
+++ b/index.html
@@ -1155,6 +1155,17 @@ <h2 id="automation">
       <h2 id="privacy-considerations">
         Security and privacy considerations
       </h2>
+      <p>
+        Web pages often run more- and less-trusted components as the same origin. For example, a
+        newspaper may run advertising code without sandboxing it into a cross-origin iframe. If the
+        newspaper has a legitimate reason to use a person's location, that also happens to grant
+        access to the less trusted advertiser. Without the {{Permissions/query()}} function in this
+        specification, to read the person's location, an advertisement needs to risk showing a
+        prompt, which exposes it to detection. With this function, the advertisement can silently
+        track just the people who've already granted their location to the newspaper. The UA might
+        provide notice of when permissions are in use on a page which might increase the visibility
+        of abuse.
+      </p>
       <p>
         An adversary could use a <a>permission state</a> as an element in creating a "fingerprint"
         corresponding to an end-user. Although an adversary can already determine the state of a