Re: Intended usage notification from Max Froumentin on 2009-03-27 (public-geolocation@w3.org from March 2009)

From: Max Froumentin <maxfro@opera.com>
Date: Fri, 27 Mar 2009 11:23:41 +0100
To: public-geolocation@w3.org
Message-ID: <m2fxgzp8lu.fsf@pc214.sm.oslo.opera.com>

Like Ian, and others.

Keeping a strict separation between what the browser (which you trust) and the site (which you don't) are telling you is one of the principles of web security.
Indeed, there are enough sites that try to blur it already, by mimicking the top yellow bar or Windows pop-ups, that we shouldn't make it any easier.
That certainly applies here with geolocation.

Max.

Ian Hickson <ian@hixie.ch> writes:

> On Thu, 26 Mar 2009, Thomson, Martin wrote:
>>
>> Trust is not a binary operation on all aspects.
>> 
>> The thought process goes thus:
>> 
>> - I trust this site not to lie.
>> 
>> - This site just asked me if I wanted to be advertised at based on my 
>> location: reject.
>
> (Why would you reject it? Location-based ads are far more useful than 
> generic ads.)
>
>> - This site just asked me if I wanted to display a map of my vicinity: 
>> allow.
>
> What would happen in practice is:
>
>  - This BROWSER (not the site) just told me I had to click Accept for the 
>    site to work: accept.
>
> IMHO you won't get the user to think that the site is asking the question, 
> they'll think the message is from the browser (malware sites have already 
> shown this with, e.g., window.alert() or even screenshots of dialog boxes 
> as used in some display ads); you won't get the user to wonder about trust 
> if the site can modify the message; and you won't get sites to ask the 
> user multiple times (for ads and for maps, for example) when they can just 
> ask once and be done with it.
>
>
>> What the current arrangement does is forces users to have a reasonably 
>> good conceptual model of what is going on in the web page in order to 
>> make an informed decision when the prompt is offered.  I don't believe 
>> that an average user is capable of building a useful model.
>
> I think what you are proposing has even less of a chance of being 
> understood by the user.
>
> (As Andrei points out, Gears actually tried this.)
>
>
>> The current model leads to users to think: ``the last time I clicked 
>> "reject" the site didn't work.'' This has the effect of training users 
>> to blindly click accept.
>
> What you are proposing has the effect of training users to believe 
> messages the sites can control but that are integrated in browser chrome, 
> which is even worse.
>
>
> Note that the UI doesn't have to be a modal "accept/reject" interface. It 
> could also be a non-modal UI where the rejection is assumed until the user 
> opts in by clicking a button. This avoids training the user to click 
> "accept" in a far more effective way than site-controlled messages.

Received on Friday, 27 March 2009 10:24:28 UTC