Re: Permissions store from Martin Thomson on 2016-08-17 (public-webappsec@w3.org from August 2016)

From: Martin Thomson <mt@mozilla.com>
Date: Wed, 17 Aug 2016 17:43:24 +1000
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Raymes Khoury <raymes@google.com>, Jeffrey Yasskin <jyasskin@google.com>, WebAppSec WG <public-webappsec@w3.org>, Marcos Caceres <marcos@marcosc.com>, Mounir Lamouri <mlamouri@google.com>, Ben Wells <benwells@google.com>
Message-ID: <CAPLxc=Vo3mzHLO06roA0G0fnRpBDnGwK24N23zsqh4APrAijvQ@mail.gmail.com>

On Wed, Aug 17, 2016 at 5:30 PM, Anne van Kesteren <annevk@annevk.nl> wrote:
> I think that would be good. And too much freedom leads to everyone
> having to copy the majority user agent as it determines the
> programming model around usage, which isn't really good use of our
> time.

I don't think that we can reasonably scope this to origin.  At least
in the sense that a .query() performed in one realm implies - absent
change in circumstances - the same answer in all other realms in that
same origin.  Some actions can't be initiated outside of top-level
browsing contexts, for instance.

I certainly think that if you are looking to limit the scope, then
origin is basically mandatory.  But my reading is that scope is
currently realm+point-in-time, which is extremely narrow.  We should
look to expand that scope so that applications have a way of using
.query() to be able to predict browser reactions to their actions.  I
think that realm scope might be sufficient for that purpose; though
realm + a top-level boolean might work.

> E.g., the case comes to mind where Chrome wants to require a user
> gesture before showing a permission which it then grants persistently
> by default. Whereas Firefox would like to show permissions without
> gesture but then not grant them persistently by default. If Chrome
> starts requiring the gesture and sites adopt the gesture pattern due
> to Chrome's outreach and such, Firefox is either stuck with two clicks
> each time or adopting by default persistent permissions.

Is the fact that there has been a click observable from script in any
reliable way?  I guess that you can show popups and check if they were
displayed, but that's massively annoying.

Where I'm going is that this implies a new entry to the key:
recent-click.  Well, if any browser wants to gate showing a prompt on
having clicks.

That makes .query() less reliable unless we make the recent-click
state explicit.  I guess the same goes for any top-level flag.

Received on Wednesday, 17 August 2016 07:43:55 UTC