On Mar 14, 2012, at 11:46 AM, Jon Lee wrote: > > On Mar 13, 2012, at 1:49 PM, John Gregg <johnnyg@google.com> wrote: > >> Well I agree that explicit permission models are not as good as implicit ones where that's possible. But some features do require explicit permission models, and I don't get the idea that simply having a single good way of doing that encourages bad behavior among feature designers. I would hope that new features for the web platform (a relatively rare thing) are proceeding carefully as in this process here. > > > Unfortunately, future spec authors might not proceed so thoughtfully. Spec authors already cite precedent as a reason for adopting existing patterns. After all, we should try to keep the Web platform coherent. > > There are currently three different permissioning models used by Web APIs: implicit (drag-and-drop), on-demand (geolocation), and explicitly requested (notifications). Explicit permissioning is the least desirable of these three models, and we should discourage it whenever possible. > > By only providing a generic API for explicit permissioning, we implicitly elevate that model to be the preferred approach for the whole Web platform. Thus far, the lack of a common API for *any* of the Web's permissioning models has forced spec authors to think hard about how permissioning should work in each case. > > In another part of this thread, you said—and I agree—that providing the pattern to follow for explicit permissions is vitally important. We should consider writing a Note discussing the different permissioning models of Web APIs and the trade-offs among them. Spec authors could then refer to this Note when designing features requiring permissioning. > > Jon That sounds right. We can add a non-normative advisory to implementors about using this explicit pattern. Doug
Received on Thursday, 15 March 2012 02:00:54 UTC