Re: [sensors] Spec should include mandatory mitigations for privacy harms / risks (#397) from Anssi Kostiainen via GitHub on 2019-11-27 (public-device-apis-log@w3.org from November 2019)

From: Anssi Kostiainen via GitHub <sysbot+gh@w3.org>
Date: Wed, 27 Nov 2019 12:46:00 +0000
To: public-device-apis-log@w3.org
Message-ID: <issue_comment.created-559073025-1574858759-sysbot+gh@w3.org>

Having read the [normative references considerations](https://www.w3.org/2013/09/normative-references), my assessment is we're able to normatively reference pre-CR documents in a CR given good rationale considering stability, schedule, and licensing dimensions. @plehegar to clarify.

Since stability of `permissions.request()` extension [PERMISSIONS-REQUEST] seemed to be the key concern out of these dimensions, I summarize related considerations below:

- [Generic Sensor API CR published 20 March 2018](https://www.w3.org/TR/2018/CR-generic-sensor-20180320/) contained a [normative reference to the Permissions API](https://www.w3.org/TR/2018/CR-generic-sensor-20180320/#references).
- The Permissions API spec [has not changed substantially](https://github.com/w3c/permissions/commits/master) since 20 March 2018.
- The `permissions.request()` extension [PERMISSIONS-REQUEST] has remained stable since 28 September 2017. Chrome has [indicated interest to implement](https://github.com/w3c/sensors/issues/388#issuecomment-471941760) this extension.
- Permissions API [PERMISSIONS] has a [normative dependency](https://w3c.github.io/permissions/#normative) on [PERMISSIONS-REQUEST].
- The `permissions.request()` defines reusable infrastructure. This suggests it is better defined as a Permissions API extension for reusability reasons, rather than in a domain-specific Generic Sensor API.

 Rationale:

- Given [PERMISSIONS] and [PERMISSIONS-REQUEST] have remained stable for ~21 months and there has been implementer interest, we can publish a revised CR with pre-CR [PERMISSIONS] as a normative reference.

Assuming the Director is satisfied with the rationale, I think the following proposal made earlier addresses this issue satisfactorily, reproduced here for clarity:

>https://html.spec.whatwg.org/multipage/interaction.html#triggered-by-user-activation is added to https://wicg.github.io/permissions-request/#dom-permissions-request as a condition for success. This generalizes the already shipping pattern defined in https://w3c.github.io/deviceorientation/#dom-deviceorientationevent-requestpermission

@snyderp @reillyeon please confirm that you are satisfied with the proposal so that we can advance with the publication. Thank you!

-- 
GitHub Notification of comment by anssiko
Please view or discuss this issue at https://github.com/w3c/sensors/issues/397#issuecomment-559073025 using your GitHub account

Received on Wednesday, 27 November 2019 12:46:02 UTC