Re: On Bug 23128 - 'Add an explicit "get access to media" call' from Gili on 2013-09-21 (public-media-capture@w3.org from September 2013)

From: Gili <cowwoc@bbs.darktech.org>
Date: Sat, 21 Sep 2013 13:44:48 -0400
To: public-media-capture@w3.org
Message-ID: <523DDB10.5080100@bbs.darktech.org>

On 21/09/2013 1:48 AM, Harald Alvestrand wrote:
> On 09/21/2013 07:02 AM, cowwoc wrote:
>> Hi Harald,
>>
>>     Good point. How about just making sure that the JS API provides a 
>> mechanism for implementing this UI (without mandating it)?
>
> You misunderstood.
>
> Prompting users for permission can't be done in Javascript, because 
> the Javascript is not trusted.

     That's not what I'm asking for. I'm asking for the following:

 1. Add a new API method that allows an application to register most/all
    of the permissions it'll need over its lifetime.
 2. The next time the application triggers an action that requires
    permissions (e.g. getUserMedia()) the vendor has the ability to
    prompt the user whether they'd like to grant more permissions at the
    same time.
 3. Note, we are not mandating UI behavior, just exposing more
    information to the vendor and letting them decide how to make use of it.
 4. Furthermore, note that applications don't have to invoke the method
    in #1 at all, or if they do they don't have to pass *all*
    permissions. They can register typical permissions and if the user
    runs into uncommon scenarios that require additional permissions
    they will get prompted for those individually.


>>     I believe the current API allows one to implement "Always trust 
>> this provider" but there is no mechanism allowing the application to 
>> ask for one permission while providing a full list of permissions it 
>> plans to ask for later on. If you want to allow the latter UI 
>> implementation, you'll need to add the necessary JS support.
>
> That particular API support was explicitly proposed, and explicitly 
> rejected.

     I disagree with your interpretation. What was rejected was 
providing an API that would require applications to acquire all 
permissions ahead of time at the beginning of the application. What I'm 
proposing here is a lot more passive. The method in #1 does not require 
vendors to acquire all permissions when the method is invoked (in fact, 
I'd recommend against it). It simply provides the vendor with the 
information and lets them decide on the best time/way to present this 
information.

     Lets ask the people who rejected the previous proposal what they 
think of this revised approach.

Gili

Received on Saturday, 21 September 2013 17:45:40 UTC