No, what they are talking about is all Google properties (eg Google search) now being able to collect your location every time you use them, if you granted permission for maps to get your location.
So it’s now not possible to block location for search, and grant it to maps (at least using the standard browser domain permissions model).
But they could've been doing that all along because they control both sites, they would've just needed to use an iFrame. What changed beyond "it's a little easier now"?
Is that how browser permissions work? Naively I’d assume the browser grants only search.google.com permissions on that url, even if maps.google.com is opened as an iframe.
It's been ages since I've played with iframes, but I'm pretty sure it does (or at least did?). You might have to specify an allow policy [0] but that's no problem if you control both sides. Since iframes are secure, data wouldn't leak unless the iframe explicitly posts it.
I don't know if you can request permissions from the iframe (might confuse people), but if you already have them, it ought to be fine.
Thanks for the docs. The examples (2 & 3, https://github.com/w3c/webappsec-permissions-policy/blob/mai...) seem to me to say that search.google.com can’t grant location permissions to an iframe if the parent was forbidden them, but I didn't find an explicit example for what happens if the iframe domain already got permission previously.
As you say the UI for requesting in this case would be weird, and this seems like a big security hole to me, but I can’t see a bit of the spec that explicitly forbids (though I only scanned the doc.)
So it’s now not possible to block location for search, and grant it to maps (at least using the standard browser domain permissions model).
https://support.google.com/chrome/answer/114662?hl=en&co=GEN...