On Mar 14, 2012, at 11:46 AM, Jon Lee wrote:
>
> On Mar 13, 2012, at 1:49 PM, John Gregg <johnnyg@google.com> wrote:
>
>> Well I agree that explicit permission models are not as good as implicit ones where that's possible. But some features do require explicit permission models, and I don't get the idea that simply having a single good way of doing that encourages bad behavior among feature designers. I would hope that new features for the web platform (a relatively rare thing) are proceeding carefully as in this process here.
>
>
> Unfortunately, future spec authors might not proceed so thoughtfully. Spec authors already cite precedent as a reason for adopting existing patterns. After all, we should try to keep the Web platform coherent.
>
> There are currently three different permissioning models used by Web APIs: implicit (drag-and-drop), on-demand (geolocation), and explicitly requested (notifications). Explicit permissioning is the least desirable of these three models, and we should discourage it whenever possible.
>
> By only providing a generic API for explicit permissioning, we implicitly elevate that model to be the preferred approach for the whole Web platform. Thus far, the lack of a common API for *any* of the Web's permissioning models has forced spec authors to think hard about how permissioning should work in each case.
>
> In another part of this thread, you said—and I agree—that providing the pattern to follow for explicit permissions is vitally important. We should consider writing a Note discussing the different permissioning models of Web APIs and the trade-offs among them. Spec authors could then refer to this Note when designing features requiring permissioning.
>
> Jon
That sounds right. We can add a non-normative advisory to implementors about using this explicit pattern.
Doug