Re: [w3c/permissions] Consider removing Permissions.revoke(). (#46) from Nick Doty on 2016-04-19 (public-webapps-github@w3.org from April 2016)

From: Nick Doty <notifications@github.com>
Date: Tue, 19 Apr 2016 12:51:19 -0700
To: w3c/permissions <permissions@noreply.github.com>
Cc:
Message-ID: <w3c/permissions/issues/46/212096498@github.com>

@martinthomson 
> That's either mildly annoying ("didn't I just say yes"), or hazardous (training users to click through without consideration).
> 
> Also, I disagree that sites want to do this. We see sites actually being unwilling to ask for permission, simply because a user might deny the request and that denial might then be permanent.

Are you concerned about `revoke()` because you think it's going to be used too much or because it's going to be used not enough? I don't expect it to be used very frequently, but I think these use cases (like the use cases for Clear Site Data) are important even if they're not the most common.

> The new user argument is a bad one. That's why browsers have profiles. We're not great in that regard, but we're working on it.

Every account-based web site I've used has a logout model, so that I can log out of my account and someone else can log in, without invoking a browser feature. (Personally, I don't know offhand how to change the browser profile on any of my desktop browsers, much less my mobile phone browsers. I use private browsing modes to approximate this functionality.) I would be honestly very curious to know if there are sites that don't have a logout flow because they expect users to manage cookies or browser profiles instead. Perhaps this will be the future model one day, but right now it seems like a very large fraction of sites want to be able to control the user experience so that one user can log out and another log in.

> As far as attack surface goes, that is what we have CSP for. If the site doesn't want a permission, and we think that's a valid thing to want, then a CSP directive is the right place for that.

I'd be curious to know more about how this option would work. But the persisted permissions risk cases are specifically ones where the site *does* want the capability to request a permission sometimes (because they're using the camera briefly to take an avatar image of the user, say) but not all the time. It seems like making the site's CSP dynamic to all those situations wouldn't be the preferred way for the site to handle these use cases, but I'm not sure.


---
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/permissions/issues/46#issuecomment-212096498

Received on Tuesday, 19 April 2016 19:51:47 UTC