[w3c/permissions] Drop .request() (#83)

I realize that this might be a minority opinion here, but I think that `.request()` stands to undermine a lot of the work that we've done to make permissions on the web meaningful and relevant to users.  The most important aspect of that being that permissions requests are made in context.

You have probably all read [this](http://robert.ocallahan.org/2011/06/permissions-for-web-applications_30.html) before, but it's worth a refresher.  That summarizes where this is coming from.  I will note that model has been vindicated in that Android has moved to making requests in context also.

What I want to focus on here, something I consider more important than speculation about how applications might actually use `.request()`, is the consequence aspect of making individual APIs trigger use consent interactions.

When an application calls `getUserMedia()` (for the first time), it causes *two* things to happen: a user consent interaction, and acquisition of a resource.  The same for geolocation.  As a consequence, the users sees that the application is then recording media or accessing their GPS (both of which usually have indicators in chrome that the user has already learned to recognize).

I believe that coupling of request and consequence to be important.  It provides applications with an incentive to defer requests until the point where the capability provided by the API is needed.  More so in browsers that don't implement persistent-by-default permissions.  That preserves the contextual relationship between asking and using.

An API like `.request()` undermines this model.  We already have ways to request permission from users, and I don't see any suggestion that we're going to change that.  That means that this API only serves to endorse modes where asking is decoupled from consequence.

There might be exceptions to this, and here I note that we don't appear to have a good substitute for just asking ahead of time when it comes to push notifications.  The Notifications API has its own analogue of `.request()` for that purpose, which turns out to be bad UX, but the best we've been able to come up with thus far.  That doesn't justify the creation of a generic permission request capability.

---
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/permissions/issues/83

Received on Monday, 18 April 2016 01:32:58 UTC