Re: [w3c/permissions] Add another permission state "always-ask" (from one-time grants)? (Issue #414)

> .query() was always a mistake, especially when it could be used for a script to ensure that the user won't be prompted -- it means that the script can safely access the user's information without the user knowing.

I agree. Though with camera and microphone it would be user observable ([indicators](https://w3c.github.io/mediacapture-main/#privacy-indicator-requirements) for _"at least 3 seconds"_).
This might not discourage bolder tracking libraries however, so I find this point convincing.

> So it seems a strict improvement to me that "granted" might sometimes mean there will be a prompt. And if the spec doesn't allow that (I think it does, but we could make it more explicit), then we should just clarify that it does. 

It [says](https://www.w3.org/TR/permissions/#dfn-granted): _"The caller will can use [SIC] the feature possibly without having the [user agent](https://infra.spec.whatwg.org/#user-agent) asking the user's permission."_

With Safari, Firefox (and now Chrome experimenting) with one-time permission, it would be great to try to standardize what to return for one-time grants. Happy to discuss that here or close this and open a new issue.

> Providing even more detail about what the user has seen in the past doesn't seem good: it just introduces fingerprinting surface and would be better as a cookie value.

Note Firefox plans to clear this always-ask state (whatever value we end up exposing it as) with web storage anyway, as a mitigation. Just wanted to add that for any remaining proponents of a discrete value. But it sounds like we're leaning toward not adding a new value.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3c/permissions/issues/414#issuecomment-1721879156
You are receiving this because you are subscribed to this thread.

Message ID: <w3c/permissions/issues/414/1721879156@github.com>