W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2015

Re: Permissions management, IoT/embedded devices and the permissions API

From: Mounir Lamouri <mounir@lamouri.fr>
Date: Fri, 14 Aug 2015 10:56:54 +0100
Message-Id: <1439546214.2122811.356099585.1C958492@webmail.messagingengine.com>
To: public-webappsec@w3.org
The current ED allows web pages to request and revoke permissions, is
that something you can you for your UC?

-- Mounir

On Fri, 31 Jul 2015, at 19:44, Oda, Terri wrote:
> I mentioned this in a meeting some time back and promised I'd follow up
> on
> the list, but forgot until it came up again in a discussion about Web
> Assembly this week.
> 
> The current permissions API is a read-only way for web applications to
> get
> permission information in a consistent way.
> 
> Management of these permissions by the user is currently done through the
> browser.  For example, geolocation permissions give the user a popup,
> they
> make a decision at that time, and the user can change the decision later
> through the browser's tools for permission management.
> 
> This is great when you have a full browser, but I'm working with some
> teams
> who are hoping to have devices, mostly embedded/Internet of Things
> products, where they support web apps, but have a web runtime that
> doesn't
> already include any way to alter those permissions after they're set, or
> even ask the user about those permissions.  e.g. headless IoT devices
> that
> want to be able to execute node.js apps, car IVI systems that only have a
> limited number of pre-approved applications for the platform, etc.  We
> work
> with enabling for a lot of diverse potential products and it's starting
> to
> become an issue I'm seeing with some frequency.
> 
> I was wondering if having a standardized way to set permissions as well
> as
> query them is a thing that would be useful to others.  Think of it as a
> sister API to the current Permissions API.  It's probably not relevant to
> browser implementers as they already have their own ways to do this, but
> I'd like to know if others are starting to see potential pain points with
> embedded and IoT devices.
> 
> Note that of course this is an API that would need some access controls
> itself, as exposing permission management API to all web apps would be a
> quick way to make permissions useless.
> 
>  Terri
Received on Friday, 14 August 2015 09:57:26 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:14 UTC