- From: Jeffrey Yasskin via GitHub <sysbot+gh@w3.org>
- Date: Tue, 18 Aug 2015 18:53:38 +0000
- To: public-web-nfc@w3.org
I'd favor an `nfc.watch(...)` function that takes options about how
the watch should proceed, and asks the UA to fire 'message' events
when a matching NFC device is found. @sicking has a good point in #3
that if the user
1. opens a web page to example.com and
2. brings their device close to an example.com NFC tag/peer
that may be enough to infer that they've [expressed
permission](http://w3c.github.io/web-nfc/index.html#dfn-expressed-permission),
with no extra UA prompts. On the other hand, if their example.com web
page calls `nfc.watch({url: 'https://other-site.com/path*'})` (maybe
only in a future version of the API) then the UA might want to give
users a choice when such a tag appears. UAs should be allowed to
prompt on the `nfc.watch()` call, but I think they'd be unwise to do
so.
I don't think the spec should narrow the "obtain permission"
requirements to just
[`requestAdapter`](http://w3c.github.io/web-nfc/index.html#widl-NFC-requestAdapter-Promise-NFCAdapter):
let UAs experiment with exactly how they obtain permission. The
current requirements do _allow_ UAs to prompt once at
`requestAdapter()`, and infer permission thereafter, they just don't
force it.
Spec-wise, the "[User agents must implement the following
policies](http://w3c.github.io/web-nfc/index.html#security)" section
doesn't work as-is: these restrictions need to be in the algorithms
they apply to, in which place they can say what to do when the user
hasn't given permission.
--
GitHub Notif of comment by jyasskin
See https://github.com/w3c/web-nfc/issues/40#issuecomment-132317463
Received on Tuesday, 18 August 2015 18:53:39 UTC