- From: Nick Doty <notifications@github.com>
- Date: Fri, 25 Mar 2016 15:21:42 -0700
- To: w3c/permissions <permissions@noreply.github.com>
- Message-ID: <w3c/permissions/issues/46/201549220@github.com>
@martinthomson Origins might choose to revoke persisted permissions for reasons similar to why they might want to clear site data in general. For example, if a user logs out and a different user logs in, the site might want the new user to have the same controls and user experience as if permission had never been granted on that origin. Or a site might try to reduce the security risk on their site (either because they know they've suffered an attack, or because the permissioned functionality is no longer necessary and so the site generally wants to reduce surface) by explicitly revoking a permission that was previously requested and may have been persisted. The user benefits from the site knowing when it makes sense, based on that application's logic, to revoke a permission. In the log-out scenario, the browser doesn't know that the user has changed. I could see some users who want to override the behavior and I don't think the spec needs to (or could!) prevent that; as always, users can configure their agents how they wish. --- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/permissions/issues/46#issuecomment-201549220
Received on Friday, 25 March 2016 22:22:16 UTC