[w3ctag/design-reviews] Permissions Policy Reporting and Report-Only mode (Issue #909) from Ian Clelland on 2023-10-17 (public-webapps-github@w3.org from October 2023)

From: Ian Clelland <notifications@github.com>
Date: Tue, 17 Oct 2023 08:25:01 -0700
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/909@github.com>

こんにちは TAG-さん!

I'm requesting a TAG review of Permissions Policy Reporting.

A document's permissions policy sets limits on what kinds of actions it can perform; what APIs are available. When a page tries to do something that is blocked by policy, the browser currently surfaces a message in developer tools -- this can be great when developing a site, but is often not enough when dealing with a site in production. It would be very useful to be able to collect reports about real problems that users are seeing.

We're addressing this by integrating permissions policy with the [Reporting API](https://w3c.github.io/reporting/). In the same way that sites can opt in to receiving reports about CSP violations or deprecations, they will now be able to receive reports about permissions policy violations in the wild.

  - Explainer¹ (minimally containing user needs and example code): https://github.com/w3c/webappsec-permissions-policy/blob/main/reporting.md
  - Specification URL: https://w3c.github.io/webappsec-permissions-policy/#reporting
  - Tests: https://wpt.fyi/results/permissions-policy/reporting?label=experimental&label=master&aligned
  - User research: Nope
  - Security and Privacy self-review²: https://github.com/w3c/webappsec-permissions-policy/blob/main/security-privacy-questionnaire-reporting.md
  - GitHub repo (if you prefer feedback filed there): https://github.com/w3c/webappsec-permissions-policy
  - Primary contacts (and their relationship to the specification):
      - Ian Clelland (@clelland), Google, Spec Editor
  - Organization(s)/project(s) driving the specification: Chrome
  - Key pieces of existing multi-stakeholder review or discussion of this specification:
  - External status/issue trackers for this specification (publicly visible, e.g. Chrome Status): https://chromestatus.com/guide/edit/5105435227455488

Further details:

  - [x] I have reviewed the TAG's [Web Platform Design Principles](https://www.w3.org/TR/design-principles/)
  - Relevant time constraints or deadlines: [please provide]
  - The group where the work on this specification is currently being done: W3C (WebAppSec WG)
  - The group where standardization of this work is intended to be done (if current group is a community group or other incubation venue): Same
  - Major unresolved issues with or opposition to this specification: None that I'm aware of. This has been discussed positively in the WG several times.
  - This work is being funded by: Google

You should also know that...

* Permissions Policy (née Feature Policy) has been reviewed by the TAG, as has the Reporting API. This review request is for the integration of the two, so that policy violations (and potential violations) can trigger reports.

We'd prefer the TAG provide feedback as (please delete all but the desired option):

  🐛 open issues in our GitHub repo for **each point of feedback**

² A Security and Privacy questionnaire helps us understand potential security and privacy issues and mitigations for your design, and can save us asking redundant questions. See https://www.w3.org/TR/security-privacy-questionnaire/.


-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/909
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/909@github.com>

Received on Tuesday, 17 October 2023 15:25:07 UTC