Re: [w3ctag/design-reviews] Modal window (#427) from Danyao Wang on 2019-12-11 (public-webapps-github@w3.org from December 2019)

From: Danyao Wang <notifications@github.com>
Date: Wed, 11 Dec 2019 06:34:38 -0800
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/427/564571493@github.com>

Thanks @dbaron and @alice for the feedback!

> 1. If this were a concept that specific spec (like Payment Handler) could use as a shared mechanism, but not a general purpose API that any website could use.  (@alice will write more about this shortly.)

This seems reasonable. @agektmr has made a similar suggestion elsewhere and I think it may be an effective tactic for us to validate the benefit of this proposal while buying some time to better understand the security / privacy / UX threats so they may addressed. I think a critical next step to check whether Modal Window API has legs is to find some concrete use cases, whether standalone or as part of API, where this proposal is clearly better than alternative solutions. It seems that a likely area may be cross-origin service coordination, but more investigation is needed to clearly articulate the user problems that are being solved.

> 2. Demonstrating that it's possible to build a UI that is simultaneously (a) a polished and shippable quality UI and (b) where a reasonable portion of users are able to make the correct security distinctions based on it (compared to the best-possible fakes of it).  (I think a "reasonable portion" probably at least means a similar portion to the Web's existing security indicators... although it would probably be desirable to do better!  It probably also means including users using various accessibility mechanisms.)

These are very fair questions. They are similar to what we want to answer for Payment Handler API as well. Chrome is planning to conduct a UXR in the near future to answer these questions, but in the context of the current payment handler flow. We’ll share any transferable learnings on this thread.

> > [...] a concept that specific specs (like Payment Handler) could use as a shared mechanism, but not a general purpose API that any website could use.
> 
> For example, it could be a concept like "browser tab", which refers to something created by the UA, but which cannot be created directly by the web page.
> 
> It might be worth fleshing out some pre-requisites for an API to be able to use this mechanism, e.g. that the API must be able to create a list of trusted providers.

These make sense. Out of curiosity, @alice, did you have any APIs in mind that could benefit from such a "browser tab" concept, if we flesh out the prerequisites?

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/427#issuecomment-564571493

Received on Wednesday, 11 December 2019 14:34:40 UTC