W3C home > Mailing lists > Public > public-web-notification@w3.org > July 2012

Re: renamed iconUrl to icon

From: Navarr Barnier <me@navarr.me>
Date: Wed, 11 Jul 2012 23:35:58 -0400
Message-ID: <CAD4Vo+6ucqKKsh=eNP3WRycOErRD3QK=hStcEXMJ1SmNhawxhA@mail.gmail.com>
To: Jonas Sicking <jonas@sicking.cc>
Cc: Doug Turner <dougt@dougt.org>, Anne van Kesteren <annevk@annevk.nl>, Web Notification WG <public-web-notification@w3.org>
This could easily be an implementation detail that isn’t necessary by the
spec.  While I’m only a developer offering his thoughts on the public
forum, I’m not sure it’s a feature specifications place to try to protect a
user against every single thing a rogue web application can do.

That said, a custom implementation such as Chrome’s could display the
site’s favicon in both the request and in the notification, but doing so
won’t make a website that was engineered to look like Facebook any less
dangerous.  The important part that we should be alerting the user to (on
permission request) is the URL - and again that's an implementation detail,
I personally feel.

So long as implementers continue to utilize “by approval only” user’s will
be protected.  “By approval only” is thereby a security feature.

To that regard, attempting to add permissions based off of icons and adding
multiple icons is unnecessarily complicating a simplistic API.  To the
regards of different icons per resolutions, perhaps that would be better
served with features such as canvas and SVG, the latter as which should
already be treatable as an image by many web browsers(?).
Navarr T. Barnier (熊軍平野)

On Wed, Jul 11, 2012 at 11:23 PM, Jonas Sicking <jonas@sicking.cc> wrote:

> On Tue, Jul 10, 2012 at 9:13 AM, Doug Turner <dougt@dougt.org> wrote:
> >> The fact that icons and titles can be set on a per-notification basis
> makes it very easy to trick the user into thinking that a notification is
> coming from someplace other than where it's coming.
> >
> > fwiw, i think that this is a feature.  Use case: Notifications from my
> > email provider would display the the sender's image as the icon.  Use
> > case two: Tweets including the user's image.
> >
> > Is it possible to support this case?
> >
> > Maybe it is useful to have two icons?  One icon for the document that
> > is posting the notification, and one icon per-notification.  This
> > would allow things like Twitter to have one icon for their application
> > and another icons per tweet.  We might be able to derive the
> > application icon via the favicon or use the application icon for
> > 'installed web apps'.
> Technically having two icons is of course implementable on at least
> some platforms. But I'm not sure how we'd implement it on android for
> example which I *think* limits what we can put in a notification.
> I definitely agree that allowing the page to set the icon supports
> more good use cases. However I'm just not sure how to do it securely.
> / Jonas
Received on Thursday, 12 July 2012 03:37:37 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 19:53:14 UTC