- From: Martin Thomson <notifications@github.com>
- Date: Tue, 19 Apr 2016 17:00:52 -0700
- To: w3c/permissions <permissions@noreply.github.com>
- Cc:
- Message-ID: <w3c/permissions/issues/46/212178407@github.com>
@npdoty
> Are you concerned about revoke() because you think it's going to be used too much or because it's going to be used not enough?
I think that if it is used at all, even on the same sort of schedule as a log out (to go to your analogy) then we get into user training territory.
> Every account-based web site I've used has a logout model, so that I can log out of my account and someone else can log in, without invoking a browser feature.
This is an interesting analogy, but not one that holds up. I would consider this less of a temporary break in the way that logout is temporary, but more like giving a site your mailing address, then asking them to forget it and scrub their database of the info. Sure, you can type the address into a form again every time you log in, but why would a site give that information up?
>> [...] a CSP directive is the right place for that.
>
> I'd be curious to know more about how this option would work.
The model is very simple. CSP allows a site to voluntarily relinquish certain capabilities. Usually, this is used to protect the server by also protecting the integrity of the page ("only load this JS", or "only load JS from here"). And yes, this can be (and often is) entirely dynamic.
---
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/permissions/issues/46#issuecomment-212178407
Received on Wednesday, 20 April 2016 00:01:57 UTC