I don't think this should work. Per our new partitioned thinking (tm) a top-level A1 is separate from a embedded third-party A2 and should not be able to share state, including permissions. That raises the question what should happen if A2 got storage access, but even in that case I don't think it should get the permission to create notifications. As for Permissions Policy, we did discuss notifications and decided delegation does not make sense as notifications are inherently origin-bound. For instance, if A2 were embedded in B and Permissions Policy was a thing for notifications and B did delegate notifications, A2 would request, the user would grant B (as they are the top-level and thus responsible and what we would show the user), but then A2 would create a notification for A which would mismatch with user expectations (I granted B, not A!). So because notifications are origin-bound they have to be an exclusively first-party feature that only works there.
Bug 1708354 Comment 2 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
I don't think this should work. Per our new partitioned thinking (tm), a top-level A1 is separate from an embedded third-party A2 and should not be able to share state, including permissions. That raises the question what should happen if A2 got storage access, but even in that case I don't think it should get the permission to create notifications. As the user is not visiting A2 directly, A2 as third-party is an implementation detail of some first-party. As for Permissions Policy, we did discuss notifications and decided delegation does not make sense as notifications are inherently origin-bound. For instance, if A2 were embedded in B and Permissions Policy was a thing for notifications and B did delegate notifications, A2 would request, the user would grant B (as they are the top-level and thus responsible and what we would show the user), but then A2 would create a notification for A which would mismatch with user expectations (I granted B, not A!). So because notifications are origin-bound they have to be an exclusively first-party feature that only works there.