Re: [w3c/permissions] A new permission for canvas data (#165) from Jeffrey Yasskin on 2017-12-19 (public-webapps-github@w3.org from December 2017)

From: Jeffrey Yasskin <notifications@github.com>
Date: Tue, 19 Dec 2017 00:21:45 +0000 (UTC)
To: w3c/permissions <permissions@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/permissions/issues/165/352600152@github.com>

@raymeskhoury I thought about suggesting the more general fingerprinting permission, but I think the developer-facing API winds up being harder to use as we cover new APIs with it. For example, say we've rolled out the Canvas.toBlob() prompt under "fingerprinting", and then we want to add a prompt for (making something up) token-bound fetching. How should a site figure out that the browser's going to prompt for their fetch?

I think the prompt itself (e.g. "can this site do things that might fingerprint you?") could grant several of these permissions at once, like we were considering for the movement sensors.

@isislovecruft I'm understanding a different request from your post than from @tomrittervg's post. Specifically, I believe Tom asked for a way for the site to ask "if I do this, will a prompt appear?", while I think you're asking for a way for a site to ask "please show the prompt now, if you would at all." Tom's is what the [permissions.query()](https://w3c.github.io/permissions/#dom-permissions-query) function in this spec does, while yours is handled by [permissions.request()](https://jyasskin.github.io/permissions-request/), which got kicked out to another spec at the request of some other Mozilla folks.

They're both sensible things to want ... and while [toBlob()](https://html.spec.whatwg.org/multipage/canvas.html#dom-canvas-toblob) is fine with just the query, now that I've looked at [toDataURL()](https://html.spec.whatwg.org/multipage/canvas.html#dom-canvas-todataurl) more, because it returns a result synchronously, it'll probably still have to return a blank result while query() returns "prompt". This is *probably* ok, since site developers who are aware of the problem can call toBlob() instead in order to wait for the user to answer the prompt. request() would be a more explicit way to do this, but it's not essential.

In summary, I'm currently +1 on adding the "canvas-pixeldata" PermissionName for use with permissions.query().

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/permissions/issues/165#issuecomment-352600152

Received on Tuesday, 19 December 2017 00:22:09 UTC