Re: [Bug 22214] How long do permissions persist? from Stefan Håkansson LK on 2014-06-03 (public-media-capture@w3.org from June 2014)

From: Stefan Håkansson LK <stefan.lk.hakansson@ericsson.com>
Date: Tue, 3 Jun 2014 06:41:10 +0000
To: Eric Rescorla <ekr@rtfm.com>, Martin Thomson <martin.thomson@gmail.com>
CC: Harald Alvestrand <harald@alvestrand.no>, "public-media-capture@w3.org" <public-media-capture@w3.org>
Message-ID: <1447FA0C20ED5147A1AA0EF02890A64B1D0046C9@ESESSMB209.ericsson.se>

On 02/06/14 05:06, Eric Rescorla wrote:
>
>
>
> On Tue, May 27, 2014 at 1:32 PM, Martin Thomson
> <martin.thomson@gmail.com <mailto:martin.thomson@gmail.com>> wrote:
>
>     On 27 May 2014 12:33, Harald Alvestrand <harald@alvestrand.no
>     <mailto:harald@alvestrand.no>> wrote:
>      > The discussion I heard at the Media Capture TF meeting was
>     approximately
>      > between two alternatives:
>      >
>      > 1) Permission persists until the device is released by all tracks
>     sourced
>      > from it.
>      >
>      > 2) Permission persists until the page is closed. (This may allow
>     permissions
>      > to survive a page reload.)
>
>     The way we communicate with users is with indicators.  From that
>     perspective, either approach works.
>
>     I tend to prefer the former.  In the case where an application is
>     granted access to camera 1, we don't want to also enable access to
>     camera 2.  I think that the latter implies a greater scope to consent
>     than a single one-off interaction.
>
>     I'd also like to keep this open to a degree of interpretation.  Not
>     all browsers will reach the same conclusions.  Already, Chrome and
>     Firefox are demonstrably different and I think that the current
>     variation is within reasonable bounds.
>
>
> #2 seems to clearly violate the requirement that we only allow
> persistent permissions when the page is loaded over HTTPS.
> There are plenty of long-lived HTTP pages and it's not at all
> OK to have them involve a long-lived permission after the
> camera is closed.

Out of curiosity I did two simple tests with '<input type="file"' and 
with the geolocation API as they also share privacy infringing info with 
the page.

For 'input type="file"' the UAs I tested (Chrome, FF, Safari) all 
started over (and that is the only sensible thing since a reason for 
reloading may be that the user realized that the wrong file was selected 
- and I don't think it could be designed in any other way really since 
the html is reloaded).

For geolocation FF and Safari both offered "remember this choice" 
options in the dialogue, but if not selected the permission did not 
survive a page reload. For Chrome no persistence option was given, but 
the permission survived a page reload. The geolocation spec is very 
vague on what is allowed and leaves it mostly up to implementers.

Personally I feel more comfortable if the permission (location, camera) 
does not survive a reload unless I've told the UA it should persist.

Received on Tuesday, 3 June 2014 06:41:45 UTC