Re: On Bug 23128 - 'Add an explicit "get access to media" call' from Harald Alvestrand on 2013-09-23 (public-media-capture@w3.org from September 2013)

From: Harald Alvestrand <harald@alvestrand.no>
Date: Mon, 23 Sep 2013 07:17:25 +0200
To: public-media-capture@w3.org
CC: Anne van Kesteren <annevk@annevk.nl>, robert@ocallahan.org, Martin Thomson <martin.thomson@gmail.com>
Message-ID: <523FCEE5.2070201@alvestrand.no>

Adding directly the 3 people who I think you have to convince explicitly.

On 09/21/2013 07:44 PM, Gili wrote:
> On 21/09/2013 1:48 AM, Harald Alvestrand wrote:
>> On 09/21/2013 07:02 AM, cowwoc wrote:
>>> Hi Harald,
>>>
>>>     Good point. How about just making sure that the JS API provides 
>>> a mechanism for implementing this UI (without mandating it)?
>>
>> You misunderstood.
>>
>> Prompting users for permission can't be done in Javascript, because 
>> the Javascript is not trusted.
>
>     That's not what I'm asking for. I'm asking for the following:
>
>  1. Add a new API method that allows an application to register
>     most/all of the permissions it'll need over its lifetime.
>  2. The next time the application triggers an action that requires
>     permissions (e.g. getUserMedia()) the vendor has the ability to
>     prompt the user whether they'd like to grant more permissions at
>     the same time.
>  3. Note, we are not mandating UI behavior, just exposing more
>     information to the vendor and letting them decide how to make use
>     of it.
>  4. Furthermore, note that applications don't have to invoke the
>     method in #1 at all, or if they do they don't have to pass *all*
>     permissions. They can register typical permissions and if the user
>     runs into uncommon scenarios that require additional permissions
>     they will get prompted for those individually.
>
>
>>>     I believe the current API allows one to implement "Always trust 
>>> this provider" but there is no mechanism allowing the application to 
>>> ask for one permission while providing a full list of permissions it 
>>> plans to ask for later on. If you want to allow the latter UI 
>>> implementation, you'll need to add the necessary JS support.
>>
>> That particular API support was explicitly proposed, and explicitly 
>> rejected.
>
>     I disagree with your interpretation. What was rejected was 
> providing an API that would require applications to acquire all 
> permissions ahead of time at the beginning of the application. What 
> I'm proposing here is a lot more passive. The method in #1 does not 
> require vendors to acquire all permissions when the method is invoked 
> (in fact, I'd recommend against it). It simply provides the vendor 
> with the information and lets them decide on the best time/way to 
> present this information.
>
>     Lets ask the people who rejected the previous proposal what they 
> think of this revised approach.

If you can convince Anne, Rob and Martin, I'm happy to have the issue 
reopened.

Received on Monday, 23 September 2013 05:16:24 UTC