W3C home > Mailing lists > Public > public-device-apis@w3.org > June 2010

Re: JavaScript Permissions interface in WebApps

From: イアンフェッティ <ifette@google.com>
Date: Wed, 30 Jun 2010 09:06:07 -0700
Message-ID: <AANLkTinjGFmhDKrPr-J62tyvMrbrdaP3567VYXn4gNzj@mail.gmail.com>
To: Frederick.Hirsch@nokia.com
Cc: dougt@dougt.org, robin@robineko.com, dom@w3.org, public-device-apis@w3.org, johnnyg@google.com
The thread where this is being discussed is
http://lists.w3.org/Archives/Public/public-webapps/2010AprJun/1150.html - i
would look there for more info

On Wed, Jun 30, 2010 at 9:03 AM, <Frederick.Hirsch@nokia.com> wrote:

> Ian
>
> Thanks for the very clear and helpful explanation.
>
> I think some of this is similar in intent to some of the other proposals in
> DAP.
>
> Where and how do you plan to define items that have permissions associated
> with them? For example, is there a URI for "obtaining user location" and
> where is this defined? (I guess I'm asking if you have a more detailed
> spec).
>
> If I missed this in a thread or elsewhere, a link would be helpful.
>
> regards, Frederick
>
> Frederick Hirsch
> Nokia
>
>
>
> On Jun 30, 2010, at 11:52 AM, ext Ian Fette (イアンフェッティ) wrote:
>
> On Wed, Jun 30, 2010 at 8:31 AM, <Frederick.Hirsch@nokia.com> wrote:
>
>> Ian
>>
>> Good point, I agree.
>>
>> Policy decision is a separable aspect that determines how a decision is
>> reached, either by user query, rules, whatever.
>>
>> Then you have a running app. Now it seems that ultimately an app tries to
>> call a method, which then the OS/browser/etc enforces a decision of whether
>> the invocation is allowed.
>>
>> What isn't clear to me is that I think you might be suggesting another
>> approach which is for the app to ask if permissions are granted, and then
>> only invoke the method if they are.
>>
>> This has the advantage of enabling bundling various permission requests,
>> reducing user interaction in the case of many requests. However it does  no
>> enforcement, so if the app ignores the decision (a bad app) then the
>> OS/browser/etc still needs to know the result of the policy decision and
>> enforce it before allowing the method to proceed.
>>
>>
> This is correct, it does allow bundling of various permissions requests,
> but does not do any "enforcement". Rather, it simply tells developers what
> is _going_ to happen, and if they are unhappy with that (e.g. they get back
> an "unknown" instead of an "allowed") they can potentially try to request a
> permission (or set of permissions) and see if the state of the world
> changes, e.g. unknowns become allows. This allows an application developer
> to ensure that they have whatever baseline set of capabilities they require,
> rather than finding that out half-way in (and after generating N different
> prompts to the user.)
>
>
>> Are you thinking in terms of an app asking permission, or of receiving
>> capability tokens, or simply enforcement at the methods?
>>
>>
> I am not proposing changing any of the enforcement mechanisms, e.g. adding
> some token. Rather, the browser continues to apply its decision making
> process / policy as normal, but the app can get the result ahead of actually
> using the API, and if the app requests a permission and this has some effect
> (e.g. a prompt to the user which the user interacts with, implementation
> dependent, but imagine the user saying "yes, I will allow this site to
> access my location" and the browser remembering that decision), then the
> result is changed, even though the mechanism is not.
>
>
>> It would help me to understand the model you have in mind, in terms of the
>> flow. Perhaps it is in an email I missed, if so I apologize.
>>
>
> Two examples:
>
> The original proposal was with respect to geolocation. Imagine I'm google
> maps. I have a "show my location button". I want to know if it makes sense
> to even show this button. Right now, the only thing I can do is call the
> geolocation API and attempt to get the location. In most cases, this will
> generate some user prompt - but I don't actually want the user's location or
> to annoy the user with a prompt, rather I just want to know *if I can get
> it* so that I know whether to show the button or not. If I can call
> checkPermission() then I can hide the button if the response is "deny", or
> show the button if the response is "unknown". If the response is "allow", I
> might instead just go ahead and get the permission, and have a "turn off
> location" button instead.
>
> Now, imagine being able to get more permissions. E.g. I'm a mail app, and
> the user says they want to turn on offline mail access. I know I need more
> quota, but I want to request it upfront. I might also need other
> permissions, e.g. filesystem API persistent storage, and something else. I
> can use requestPermission() to get all of these permissions up front, rather
> than having to try storing whatever data I  can until I hit some unknown
> quota and then "seeing what happens". Granted, the original proposal doesn't
> quite go this far in terms of what permissions were being considered, but I
> think it may allow for such things eventually.
>
>
>>
>> This seems to be related to  checkPermission/requestPermission
>>
>> I'd like to better understand what you have in mind to see how it fits
>> with what the DAP WG has been discussing.
>>
>> Thanks!
>>
>>  regards, Frederick
>>
>> Frederick Hirsch
>> Nokia
>>
>>
>>
>> On Jun 30, 2010, at 10:20 AM, ext Ian Fette (イアンフェッティ) wrote:
>>
>> Maybe I'm missing something, but it seems that there's two distinct
>> interests here.
>>
>> The first interest is in expressing policies. There has been a history of
>> talk in DAP about the ability to specify policies for access to various
>> devices/resources/APIs. From a web developer perspective, the policy threads
>> boil down to the question of "what is the result when a various site tries
>> to do something? Is it allowed, is it denied, or is it unknown [ e.g. ask
>> the user ]." How that decision is made seems orthogonal to the question of
>> "what will happen if I try to do XYZ" - whatever mechanism you are using
>> (hardcoded defaults, a policy you consult, etc) you should be able to answer
>> that question.
>>
>> The second interest is the answer to the question "what is the effect of
>> the policy being used" - and here I use "policy" in a loose sense. A
>> developer shouldn't have to care what policy the user has set, rather the
>> question is "can I use this API, and if not, can I successfully get
>> permission to use it?"
>>
>> It seems that we should be able to de-couple discussion of the second from
>> the first.
>>
>> -Ian
>>
>> On Wed, Jun 30, 2010 at 6:36 AM, <Frederick.Hirsch@nokia.com> wrote:
>>
>>> Hi Doug
>>>
>>> > Lastly, it will be very hard to implement anything that does the
>>> following:
>>>
>>> The following paper might be relevant, have you looked at it yet? This
>>> seems to offer some additional information.
>>>
>>> http://escholarship.org/uc/item/0rp834wf
>>>
>>> I understand there are pragmatic concerns - yet can we do more to find a
>>> good balance? supporting rulesets may be a possibility  - we'll have to talk
>>> about it at the workshop
>>>
>>> regards, Frederick
>>>
>>> Frederick Hirsch
>>> Nokia
>>>
>>>
>>>
>>> On Jun 29, 2010, at 4:42 PM, ext Doug Turner wrote:
>>>
>>> > Hey Robin,
>>> >
>>> > I would love to build a draft doc, but really... we should ask John
>>> Gregg.  He is the editor of the Desktop Notification and he is to "blame"
>>> for the bulk of this API.  John, would you like to factor this out and
>>> propose it as a separate spec?
>>> >
>>> >
>>> > Also, I am not really interested in options for this specification.  If
>>> we have to spec out additional things, we can do that in the future.
>>> >
>>> >
>>> > Lastly, it will be very hard to implement anything that does the
>>> following:
>>> >
>>> > { retain: "briefly", distribute: false }
>>> >
>>> > This is basically the same idea the the CDT/GeoPriv folks wanted in the
>>> Geolocation WG.  This wont work from the UAs point of view for many reasons.
>>>  Before you consider rehashing the debate on this thread, I urge you to you
>>> can check out the Geolocation WG meeting notes from the Dec. Face-to-Face
>>> for the details.
>>> >
>>> > Regards,
>>> > Doug Turner
>>> >
>>> >
>>> >
>>> > On Jun 29, 2010, at 2:46 AM, Robin Berjon wrote:
>>> >
>>> >> Hey Doug,
>>> >>
>>> >> On Jun 28, 2010, at 23:31 , Doug Turner wrote:
>>> >>> The unknown case would most likely bring up a UI in Firefox.  The
>>> other states talk about if an application is allowed to use a particular
>>> feature.  checkPermission could return 'false' stating that the application
>>> is not allowed to preform some action... maybe because the user has
>>> previously disabled this feature (like opt'd out of gelocation).  Maybe
>>> these we previously set by the user, maybe they are just defaults in the
>>> UA.... but how they got set is really an implementation detail.
>>> >>
>>> >> As I've said before, I think that this could be an interesting avenue
>>> of work. Out of curiosity: would you be interested in scaring up a draft?
>>> >>
>>> >> I also wonder if there could be value in adding an options argument to
>>> allow one to provide more information about the check. For instance, as you
>>> probably recall, there was a discussion not so long ago about quotas for
>>> permanent and temporary storage. I wonder if this could not be done through
>>> this interface as well with something like
>>> checkPermission("permanent-storage", { size: "all-your-teras" }).
>>> >>
>>> >> With options, it might be possible to provide some privacy terms
>>> (perhaps based on our rulesets, or Aza's "essential things, or whatever
>>> comes out of next month's workshop). Something like
>>> checkPermission("contacts", { retain: "briefly", distribute: false }).
>>> >>
>>> >> Another thing: if it's just checking for permission, the method can I
>>> guess be synchronous. But we could add a third argument being a callback
>>> that would make it actually request the permission (or it could be a
>>> separate method, as proposed before). In that case, the callback could get
>>> an object implementing the interface that it's looking for. This would avoid
>>> namespace pollution on navigator (or wherever else most of these APIs end up
>>> being stuck) as well as a fair amount of bikeshedding.
>>> >>
>>> >> I'm not saying all or in fact any of this is a good idea — just
>>> sticking it out there :)
>>> >>
>>> >> --
>>> >> Robin Berjon
>>> >> robineko — hired gun, higher standards
>>> >> http://robineko.com/
>>> >>
>>> >>
>>> >>
>>> >>
>>> >
>>>
>>>
>>>
>>
>>
>
>
Received on Wednesday, 30 June 2010 16:06:40 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 9 May 2012 00:14:10 GMT