Re: [w3ctag/design-reviews] Contact API (#337)

Hi @rayankans - We're just reviewing the explainer again here at our [f2f](https://github.com/w3ctag/meetings/blob/gh-pages/2019/12-cupertino/README.md). It looks like there is still not enough detail on the potential abuse cases. 

This is an example of how the permissions request for UI is being gamed by unsavoury individuals:
![image](https://user-images.githubusercontent.com/287526/70091453-0955db00-1614-11ea-8e3e-a61cd118e1e1.png)

This sort of thing is happening because people like us didn't do enough work in the first place thinking about all the abuse cases and designing to mitigate against these abuse cases. This has led to a messy situation. While we consider adding exciting new APIs to the platform, we therefore need to be especially mindful of how these APIs can be abused.

One of the purposes of an explainer is to help implementers understand where the risks are. Another is to guide the security & privacy considerations in the spec itself (which doesn't seem to currently exist in the spec). Please explain the abuse scenarios and explain how to mitigate them, how the spec itself mitigates against them, or whether they can be mitigated.

@plinss will write some additional comments on the API design itself.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/337#issuecomment-561368571

Received on Tuesday, 3 December 2019 21:38:40 UTC