Default to off for high risk contexts

Publishers will need to check pages for level of user risk before activating. Set the permission policy to default off, so that high risk tracking is less likely to happen accidentally before this review. See patcg/private-measurement#6
dmarti · Apr 28, 2022 · b2f9ac2 · b2f9ac2
1 parent c4231c8
commit b2f9ac2
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/EVENT.md b/EVENT.md
@@ -217,8 +217,8 @@ Policy](https://w3c.github.io/webappsec-permissions-policy/):
 </iframe>
 ```
 
-The API will be enabled by default in the top-level context and in same-origin
-children. Any script running in these contexts can declare a source with any
+The API will be diabled by default so that web site authors can turn it on only for pages
+where it presents an acceptable level of risk. Any script running in these contexts can declare a source with any
 reporting origin. Publishers who wish to explicitly disable the API for all
 parties can do so via an [HTTP
 header](https://w3c.github.io/webappsec-permissions-policy/#permissions-policy-http-header-field).