- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Tue, 9 Aug 2016 11:26:49 +0200
- To: WebAppSec WG <public-webappsec@w3.org>
- Cc: Jeffrey Yasskin <jyasskin@google.com>, Martin Thomson <mt@mozilla.com>, Marcos Caceres <marcos@marcosc.com>, Mounir Lamouri <mlamouri@google.com>
Apparently the latest agreement for the Permissions specification is that each permission has a "get" and "request" API and the details of those operations are up to the user agent. That does not seem great. I understand that we might want to vary on the key and even leave some things user-agent defined. But I think we want all permissions to be at least keyed by origin. And some permissions, such as storage, should only be keyed by origin and not some additional bits that are up to the user agent. (Of course, if user agents provide ways to have multiple user agents in a user agent, as with Firefox Container Tabs, that would be an additional part to the key. As would private browsing mode, but nothing else that is keyed by origin is concerned with those modes, so we shouldn't be concerned with it here either, until we expose features that make those modes visible to the web.) So I'd like to revisit that agreement and actually get us to clearly specify the store, including the bits that are user-agent defined, which is likely something that is decided upon on a per-API basis. The scope for persistent storage is not necessarily applicable to sharing the camera, but leaving both openended is not a good solution either. (It also seems rather bogus architecturally to leave such an important subsystem entirely up to the user agent and not describe its details. That will surely bite us later on.) -- https://annevankesteren.nl/
Received on Tuesday, 9 August 2016 09:27:21 UTC