Re: [geolocation-api] Explicitly limit permission lifetimes (#47)

While I appreciate the points expressed above, and i think it'd be good to have a general solution to permission lifetimes, there are aspects of geolocation that make it especially important to have those restrictions in place for geolocation, and that w/o which the spec poses uniquely critical privacy issues.

Specifically:
1. the data exposed by the API is among, if not the absolute most, sensitive data in the platform can expose, in a rec-track spec
2. the spec [specifically requires implementors to allow websites to request ongoing updates to location](https://w3c.github.io/geolocation-api/#requirements_section).  This makes permission lifetime uniquely important here

Put diff, if the spec is going to allow people to be located with high precision, and requires implementors to provide that capability to sites in a way that allows for easily forgettable background updates, it seems pretty important to have the spec cover how to that permission must be responsibly constrained too.

I don't have a pref about whether that conversation takes place here, or WebAppSec, or PrivacyCG, or elsewhere, but i dont see how this spec could advance w/o that work being done first.

-- 
GitHub Notification of comment by pes10k
Please view or discuss this issue at https://github.com/w3c/geolocation-api/issues/47#issuecomment-652029993 using your GitHub account

Received on Tuesday, 30 June 2020 20:38:24 UTC