Hi, I was suggesting the extreme approach for *security* dialogs, since it seems > to be a security not-best-practice, and taking an extreme point might help > with making a decision by eliciting responses... > > Given the arguments in the position papers, I'm wondering why we shouldn't > say something in DAP about this. > I think it is absolutely right that this is considered and something is said about it. However, there will probably continue to be situations where dialogs at runtime (rather than solely at installation time) are unavoidable, depending on the kind of security decision a user is being asked to make. I would definitely welcome a design approach that eliminated the need for modal prompts, along the lines of the Mozilla position paper, for example by ensuring that all APIs that potentially cause prompts are asynchronous. Beyond that, I think we should probably avoid prescription wherever possible in respect of user experience for prompts or other permissions-related user configuration. I was thinking more along the lines of a requirement for now on our spec, rather than a requirement on a User Agent - stating that the spec [SHOULD|MUST] be capable of implementation without modal security prompts during the execution of a web application. Thanks - Paddy
Received on Wednesday, 7 October 2009 12:45:34 UTC