- From: Frederick Hirsch <frederick.hirsch@nokia.com>
- Date: Wed, 18 Nov 2009 20:13:19 -0500
- To: ext Jonas Sicking <jonas@sicking.cc>
- Cc: Frederick Hirsch <frederick.hirsch@nokia.com>, David Rogers <david.rogers@omtp.org>, Maciej Stachowiak <mjs@apple.com>, Marcin Hanclik <Marcin.Hanclik@access-company.com>, Dominique Hazael-Massieux <dom@w3.org>, Robin Berjon <robin@berjon.com>, "public-device-apis@w3.org" <public-device-apis@w3.org>, public-webapps WG <public-webapps@w3.org>
This is a good point, and an argument for "policy" rather than implicit user consent, if I'm not mistaken. It highlights that usability might also be an issue with the non-modal interaction model, as well as not always be very meaningful (since I the user might have no idea what most directories are for or where to navigate). Arbitrary directory navigation for writing files is not a good idea. More importantly we have to be careful with analogies. regards, Frederick Frederick Hirsch Nokia On Nov 18, 2009, at 3:14 PM, ext Jonas Sicking wrote: > On Wed, Nov 18, 2009 at 5:27 AM, David Rogers > <david.rogers@omtp.org> wrote: >> Hi Maciej, >> >>> From my side I'd like to understand what your thoughts and >>> proposals for file writing security / policy would entail - would >>> you defer the decision responsibility to the user via a prompt? > >> From my point of view the answer is unfortunately "there are no >> simple > answers, it's always a judgement call". > > For example for the geolocation the security model is basically: > > 1. Page asks for user position > 2. User is faced with a non-modal dialog where he/she can answer yes > or no, or simply ignore the dialog > 3. Only if the user answers "yes" then the position is returned to > the page. > > In this case I think this was an acceptable solution. > > If we added a directory API which gave access to a requested path on > the users hard drive we could use a similar security model: > > 1. Page asks user for permission to read/write to a specific > directory, say "C:\" > 2. User is faced with a non-modal dialog where he/she can answer yes > or no, or simply ignore the dialog > 3. Only if the user answeres "yes" a reference to the directory is > returned which the page can read from/write to. > > This would *not* be an acceptable solution to me, despite being > basically identical to the geolocation case. > > The reason is two-fold. I think it's easier to explain to the user > what the user is authorizing ("your location"), and if a user doesn't > understand and still clicks "yes", it has less catastrophic results. > > For the directory API though, it's much harder to explain the decision > to the user. What's the "C:\" directory? What's the difference between > that and "C:\Documents and Settings\Jonas Sicking\My Images"? What's a > directory? Also, if a user clicks "yes" without understanding the > risks, that has catastrophic results if the directory in question is > "C:\" and read/write access is granted. > > When it comes to security dialogs, the basic rule to keep in mind is > "Lots of people are not going to understand it and just click whatever > button they think will get stuff to work, or a random button". > > / Jonas >
Received on Thursday, 19 November 2009 01:14:30 UTC