RE: ISSUE-28: [Policy] Requirement for NO security prompting [Security Policy Framework - General] from Ian Hickson on 2009-10-09 (public-device-apis@w3.org from October 2009)

From: Ian Hickson <ian@hixie.ch>
Date: Fri, 9 Oct 2009 01:37:48 +0000 (UTC)
To: richard.tibbett@orange-ftgroup.com
Cc: pp.koch@gmail.com, brian.leroux@westcoastlogic.com, public-device-apis@w3.org
Message-ID: <Pine.LNX.4.62.0910090130000.21884@hixie.dreamhostps.com>

On Thu, 8 Oct 2009 richard.tibbett@orange-ftgroup.com wrote:
> 
> I agree with this. Modal dialogs are unavoidable because users MUST 
> opt-in to API usage at least once (e.g. for checking device status) but 
> perhaps on an ongoing basis (e.g. for sending SMS).

There are plenty of ways of designing APIs without modal security prompts. 
for example, you can have an API that uses a callback, and just show 
a non-modal overlay offering to enable a feature, e.g. an infobar with a
label saying "Would you like to give this site access to your current 
geographic position?" and some buttons, e.g. "Deny geolocation access", 
"Permit access but snap to the center of the nearest city", or "Permit 
access for one hour". (This is the model used by the Geolocation API, if I 
am not mistaken.)

Or you can have an API that uses events, and where if the user, e.g., 
wants to use the camera with the site, then he has to explicitly drag a 
camera icon onto the page. (This is the model used for the drag-and-drop 
file upload mechanism.)

Or you can have an element that shows an unstylable widget which, when 
activated *by the user*, shows modal UI for implied permission selection, 
in the form of an activity the user understands. (This is the model used 
by the <input type=file> file upload mechanism.)

Security designs that reliy on out-of-band preferences being configured by 
the user, that rely on modal prompts that interrupt the user's workflow, 
or that rely on users making educated security choices, are all 
non-starters, in my opinion. They irritate the user, and they are 
completely ineffective (users click through prompts without reading them).

Any security prompt might as well just say to the user "Do you want to 
continue getting your work done? (Yes) (No)". That's all that the user 
will get from them anyway.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Friday, 9 October 2009 01:27:56 UTC