[w3c/permissions] describe implicitly-granted permissions (#178) from L. David Baron on 2018-05-22 (public-webapps-github@w3.org from May 2018)

From: L. David Baron <notifications@github.com>
Date: Tue, 22 May 2018 10:58:48 -0700
To: w3c/permissions <permissions@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/permissions/issues/178@github.com>

The [registry section](https://w3c.github.io/permissions/#permission-registry) of the Permissions API spec should describe implicitly granted permissions (such as file upload or screenshare of a window) in addition to the explicitly granted ones that it currently describes.

I mentioned this initially in https://github.com/w3ctag/design-reviews/issues/225#issuecomment-386165945 in the context of the proposal for Permission Delegation discussed in that issue.

The background here is that some permissions for powerful capabilities on the web (e.g., geolocation) are granted by explicitly asking the user about that permission. The current permissions API spec and the capabilities it provides are designed around this type of permission.

However, there are a set of permissions that are granted more implicitly through an act of user selection. For example, permission to upload a file is granted by the user choosing that file in a file picker; similar for screensharing a window in [Screen Share](https://w3c.github.io/mediacapture-screen-share/). This sort of permission grant is in many ways better than explicitly asking the user since it's often clearer what's being granted, and the grant is clearly tied to the thing that needs it. It also requires less API around it, since it doesn't make sense to query the status of this permission, or to request it separately.

However, there are some uses of the permissions API, such as the Permission Delegation proposal that would control the delegation of permissions to cross-origin subframes, where it seems like it would be useful to have API around these permissions. It seems like a page should be able to control whether its subframes can request file upload or screen share just like it should be able to control whether its subframes can request geolocation. (In both cases, the request appears in significant ways to come from the toplevel page.)

So I think these permissions ought to be described in the registry in the permissions API spec, in a way that `Permissions.query()` doesn't apply, but that other APIs such as permission delegation do apply.

--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/permissions/issues/178

Received on Tuesday, 22 May 2018 17:59:13 UTC