The specification makes no suggestion whether a granted permission is saved for the current origin or the current domain name. It is, however, undesirable to imply permission for HTTP sites when the user has only clicked the Allow button on a secure web page. As expected, when the spec is unclear, browser vendors implemented this differently. Some use an origin, some use the domain name. Here's a listing from a few weeks ago: Firefox: Hostname Opera: Hostname Chrome: Origin Safari: Origin I suggest that Firefox adopts this behavior due to the consequences for HTTPS/HTTP downgrades pointed out above.
This should likely be filed as a bug against the spec as well.
The w3c list about geolocation discussed something related, i.e. how the "effective scripting origin" (origin modified by assignments to document.domain) affects the permissions: http://lists.w3.org/Archives/Public/public-geolocation/2011Nov/0006.html
From my testing, it would appear IE10 uses Hostname
(In reply to Frederik Braun [:freddyb] from comment #2) > The w3c list about geolocation discussed something related, i.e. how the > "effective scripting origin" (origin modified by assignments to > document.domain) affects the permissions: > > http://lists.w3.org/Archives/Public/public-geolocation/2011Nov/0006.html Thanks for finding this, that thread is good background. This does seem to be an implementation detail in some regard as the thread says, although the apparently spec'd UI behavior of only ever showing the domain and not the whole origin could lead to pretty weird behavior if origin is used as the 'key' for storage - if I grant permission for https://foo.com to read my location, I'll be prompted that 'foo.com wants to know your location'. If http://foo.com/something then wants my location, i'll be prompted again that 'foo.com wants to know your location' with no indication PER SPEC that there's any reason I'm being asked for what appears to be the same thing I already granted. "Only provide my location to HTTPS content" seems like something only a small amount of users would use - those with strong privacy/tracking concerns may well just disable geolocation entirely...
Is this bug fixed now that the permission manager uses origins (Firefox 42, bug 1165263)?