- From: Jeffrey Yasskin via GitHub <sysbot+gh@w3.org>
- Date: Wed, 18 Feb 2015 21:38:27 +0000
- To: public-nfc@w3.org
jyasskin has just created a new issue for https://github.com/w3c/nfc: == Consider removing the UA use of which user is logged in == http://w3c.github.io/nfc/charter/index.html#scope says: > The WG will consider requiring that for riskier API's that **the User Agent knows which user is logged into the User Agent and knows what types of permissions that user is allowed to set**, and the user has agreed to allowing a risky or experimental API for a particular trusted website. The identity of the user would be known by the User Agent (but not the web page), to know what is permitted for use by that Web site. The Web site is known through use of HTTPS so some APIs could be restricted to use by particular users and only by known, trusted websites. Generally the User Agent itself has only the OS-level permissions of the User, so it can't grant permissions the user doesn't have. Do we have a precedent for UAs acting as if they have more permissions than the user? I also don't know of OS restrictions on NFC use by user: either the user can access the NFC radio or not, and the tag at the other end doesn't affect that. Are there platforms I don't know about that do let users access a subset of NFC devices? I'd suggest rewording that paragraph to something like: > The WG will consider requiring that for riskier API's whether the user has agreed to allowing a risky or experimental API for a particular trusted website. The Web site is known through use of HTTPS so some APIs could be restricted to use only by known, trusted websites. See https://github.com/w3c/nfc/issues/78
Received on Wednesday, 18 February 2015 21:38:36 UTC