Re: [w3c/permissions] request/revoke (#46)

The problem with revocation is that those reasons aren't particularly convincing, and it then results in more permissions requests from the site.  That's either mildly annoying ("didn't I just say yes"), or hazardous (training users to click through without consideration).

Also, I disagree that sites want to do this.  We see sites actually being unwilling to ask for permission, simply because a user might deny the request *and that denial might then be permanent*.

The new user argument is a bad one.  That's why browsers have profiles.  We're not great in that regard, but we're working on it.

As far as attack surface goes, that is what we have CSP for.  If the site doesn't want a permission, and we think that's a valid thing to want, then a CSP directive is the right place for that.

---
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/permissions/issues/46#issuecomment-202647042

Received on Tuesday, 29 March 2016 00:43:45 UTC