W3C home > Mailing lists > Public > public-device-apis@w3.org > October 2009

(wrong string) €” General]

From: Paddy Byers <paddy.byers@gmail.com>
Date: Wed, 7 Oct 2009 13:45:00 +0100
Message-ID: <59db1b5a0910070545r53f9a70cte40d4c8a40f8738c@mail.gmail.com>
To: Frederick Hirsch <frederick.hirsch@nokia.com>
Cc: ext Marcin Hanclik <Marcin.Hanclik@access-company.com>, Device APIs and Policy Working Group WG <public-device-apis@w3.org>
Hi,

I was suggesting the extreme approach for *security* dialogs, since it seems
> to be a security not-best-practice, and taking an extreme point might help
> with making a decision by eliciting responses...
>
> Given the arguments in the position papers, I'm wondering why we shouldn't
> say something in DAP about this.
>

I think it is absolutely right that this is considered and something is said
about it.

However, there will probably continue to be situations where dialogs at
runtime (rather than solely at installation time) are unavoidable, depending
on the kind of security decision a user is being asked to make.

I would definitely welcome a design approach that eliminated the need for
modal prompts, along the lines of the Mozilla position paper, for example by
ensuring that all APIs that potentially cause prompts are asynchronous.

Beyond that, I think we should probably avoid prescription wherever possible
in respect of user experience for prompts or other permissions-related user
configuration.

I was thinking more along the lines of a requirement for now on our spec,
rather than a requirement on a User Agent - stating that the spec
[SHOULD|MUST] be capable of implementation without modal security prompts
during the execution of a web application.

Thanks - Paddy
Received on Wednesday, 7 October 2009 12:45:34 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:53:39 UTC