- From: Jeffrey Yasskin via GitHub <sysbot+gh@w3.org>
- Date: Wed, 19 Aug 2015 18:54:19 +0000
- To: public-web-nfc@w3.org
For web-page/same-origin-web-tag pairings, +1 on inferring permission from the foregroundness and the tap. I don't think asking for forgiveness is appropriate here: unlike fullscreen, any damage is done as soon as the message is transferred. We should just treat same-origin communication as ok. For web-page/cross-origin-web-tag pairings, we can say "Do you want to let https://origin1.com/ read this tag from https://origin2.com/?", and we can give a "remember this choice" checkbox for that origin pairing. We can even give the user a multi-way choice, between letting the current page read the tag, opening the tag's URL, and ignoring the tag. That makes a pretty good dialog. This would happen on tapping the tag, not on watching the cross-origin url. For non-web tags, we don't have an origin to ask the user about. We could ask about the mime type, but folks are less used to being asked about mime types, so it'll be hard without a database of human-readable names for them. Does NFC give you the technical ability to identify that you're seeing a particular physical tag for the second time (ignoring malicious native apps)? If so, we could "remember this choice" about that exact pairing, so the user can pair their metro card with a particular site. (Note that there shouldn't be any normative requirements about this in the spec. The spec should include a place to get the user's consent, and say what happens if the user doesn't give consent, but otherwise leave it up to the UA. This issue is just about informatively outlining some options for UAs.) -- GitHub Notif of comment by jyasskin See https://github.com/w3c/web-nfc/issues/3#issuecomment-132741175
Received on Wednesday, 19 August 2015 18:54:23 UTC