Add Permissions Policy Integration to Control Orientation Data Flow in Embedded Contexts

[innotommy]

I am opening this issue as a result of the security review: w3c/security-request#101 (comment)

Problem

The specification defines when orientation events and values (type, angle) are delivered:

“orientation events are only delivered to documents in windows that are both visible at the system level and have the user’s attention.”

However, the spec does not distinguish between top-level and embedded / cross-origin contexts. As written, non-sandboxed cross-origin iframes can receive orientation data by default, creating an uncontrolled information-flow channel and exposing a known fingerprinting vector.

Why This Matters

• Third-party frames receive device-orientation data without intent.
• Developers have no fine-grained control.
• Browser divergence increases entropy and fingerprintability.
• Orientation becomes another unnecessary cross-site fingerprinting surface.

Requested Normative Change

1. Add a Permissions Policy feature

<iframe allow="screen-orientation">

2. Define normative defaults

• Top-level contexts: enabled by default
• Embedded contexts: disabled by default, unless explicitly enabled

3. Define UA behavior when disabled

When disabled, the UA MUST behave as if the API is unsupported:

• screen.orientation.type returns a default value
• screen.orientation.angle returns 0 (or defined default)
• No orientation events fire
• Lock attempts reject with NotSupportedError

Expected Benefits

• Prevents unintended exposure of orientation state to third parties
• Aligns with Permissions Policy usage for high‑entropy APIs
• Improves privacy and cross‑browser consistency