W3C home > Mailing lists > Public > public-web-notification@w3.org > July 2012

Re: renamed iconUrl to icon

From: Ian Hickson <ian@hixie.ch>
Date: Tue, 10 Jul 2012 16:14:10 +0000 (UTC)
To: Jonas Sicking <jonas@sicking.cc>
cc: Anne van Kesteren <annevk@annevk.nl>, Web Notification WG <public-web-notification@w3.org>
Message-ID: <Pine.LNX.4.64.1207101608560.7759@ps20323.dreamhostps.com>
On Tue, 10 Jul 2012, Jonas Sicking wrote:
> 
> One way to address all of the above problems is to require that an icon 
> URL is specified when the requestPermission function is called. That way 
> multiple URLs, and the implementation can display the icon when the 
> permission is requested, meaning that the user can review the icon that 
> will be used at the same time as the permission grant is happening. It 
> also allows the implementation to download all icons up front, meaning 
> that no network requests has to happen when a notification is displayed.
> 
> However this is a pretty big change to the API which we realize is 
> problematic.

The ideal permission UI, IMHO, is one where the first time a site pops up 
a notification, it is constrained to appearing within its own frame (i.e. 
can't do anything more than it could do anyway with a positioned <div>), 
and somewhere on that notification is a button that "pops out" the 
notification to the system level, after which notifications from that 
origin can go to the system level (and similarly a button on the popped 
out notifications can revoke this permission).

We could solve the spoofing icon problem by making this permission be 
scoped to the specific icon being displayed -- whenever the icon changes, 
either because its URL changed or because the image at that URL changed, 
then you implicitly cancel the permissions grant.

(With this model there's no point having a requestPermission() method, of 
course. In general I would consider any API that has an explicit "request 
permission" step to be rather fundamentally missing the point of the Web's 
security model.)

Regarding the multiple icons issue, I recommend an approach similar to 
image-set() in CSS, srcset="" in HTML, or <link rel=icon sizes> in HTML, 
depending on what the exact requirements are.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 10 July 2012 16:14:41 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 17 December 2012 14:48:28 GMT