- From: cowwoc <cowwoc@bbs.darktech.org>
- Date: Sat, 21 Sep 2013 01:02:10 -0400
- To: Harald Alvestrand <harald@alvestrand.no>
- CC: public-media-capture@w3.org
- Message-ID: <523D2852.8090901@bbs.darktech.org>
Hi Harald,
Good point. How about just making sure that the JS API provides a
mechanism for implementing this UI (without mandating it)?
I believe the current API allows one to implement "Always trust
this provider" but there is no mechanism allowing the application to ask
for one permission while providing a full list of permissions it plans
to ask for later on. If you want to allow the latter UI implementation,
you'll need to add the necessary JS support.
Gili
On 18/09/2013 12:47 PM, Harald Alvestrand wrote:
> Gili, these are UI design considerations, not JavaScript api
> considerations. We have stayed away from specifying UI in the spec.
>
> cowwoc <cowwoc@bbs.darktech.org> wrote:
>
> On 17/09/2013 2:14 PM, cowwoc wrote:
>
> On 15/09/2013 8:07 PM, Silvia Pfeiffer wrote:
>
> On Mon, Sep 16, 2013 at 8:54 AM, Harald Alvestrand
> <harald@alvestrand.no> wrote:
>
> On 09/09/2013 04:02 PM, Stefan HÃ¥kansson LK wrote:
>
> Putting my chair hat on, the discussion regarding
> adding an explicit "get access to media" call
> seems to be leaning towards that this is something
> we should not do. Unless more people speak up
> saying they want this I will close the bug, with a
> comment saying there was not support to add this,
> later this week. Stefan
>
> Just to say a final word here: I feel that the
> arguments put forward by Anne, Robert and Martin are
> wrong. In trying to prevent a particular class of bad
> application behaviours, they are taking away the
> ability to write good applications that can do what's
> right for the user. I believe that having the asking
> for permissions be an action that is triggered
> explicitly by Javascript can give better user
> interfaces to better applications than having the
> triggering of the same asking for permission be
> implicit in a Javascript action whose purpose is
> something else can. We're sacrificing the ability to
> write great applications in order to make it harder to
> write bad ones. But I accept that my viewpoint, so
> far, has not found consensus in the group, and will
> accept my chair's decision to close the bug as WONTFIX
> / Working as intended, if that remains the position of
> the rest of the group.
>
> I have a gut feeling that Harald is correct, but I don't
> have any data to make a case yet. I hope the group will be
> open to reconsider introducing an explicit JS permission
> call in future once we have more experience with the
> current interface and whether or not it is sufficient.
>
> I'd like to suggest a possible compromise (borrowing the idea
> from Java): We continue prompting the user for individual
> permissions, but we add "Always trust this provider". By the
> time users get a second prompt, or visit the site a second
> time, they are likely to select this option which basically
> says "provide this provider with any permission they ask for".
> Users who want fine-grained control get it. Users who couldn't
> care less (your typical grandmother) will suppress all further
> checks. I don't think there is a value in asking "your
> grandmother" for permissions multiple times because (in my
> experience) they don't really read the prompt before
> confirming (due to user fatigue and lack of technical
> background) so providing this option isn't really a security
> hazard.
>
>
> Or (probably even better) we prompt users for one permission at a
> time, but give them the option to review all permissions and accept them
> at once. It's a hybrid between Harald's proposal and Java's "Always
> trust this provider".
>
> It would look something like this: "foobar.com <http://foobar.com> would like to use
> your Webcam. [Accept] [Reject] [Review all permissions]"
>
> Clicking on "Review all permissions" would bring up a panel similar
> to Android, listing all permissions and allowing the user to grant them
> all at once.
>
> Gili
>
>
> --
> Sent from my Android phone with K-9 Mail. Please excuse my brevity.
Received on Saturday, 21 September 2013 05:02:48 UTC