W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2015

Permissions management, IoT/embedded devices and the permissions API

From: Oda, Terri <terri.oda@intel.com>
Date: Fri, 31 Jul 2015 11:44:32 -0700
Message-ID: <CACoC0R8xqH1dxvYiEDVz3vJ_BPqc4NVBAWKV0tPQtAQkngF-Vg@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
I mentioned this in a meeting some time back and promised I'd follow up on
the list, but forgot until it came up again in a discussion about Web
Assembly this week.

The current permissions API is a read-only way for web applications to get
permission information in a consistent way.

Management of these permissions by the user is currently done through the
browser.  For example, geolocation permissions give the user a popup, they
make a decision at that time, and the user can change the decision later
through the browser's tools for permission management.

This is great when you have a full browser, but I'm working with some teams
who are hoping to have devices, mostly embedded/Internet of Things
products, where they support web apps, but have a web runtime that doesn't
already include any way to alter those permissions after they're set, or
even ask the user about those permissions.  e.g. headless IoT devices that
want to be able to execute node.js apps, car IVI systems that only have a
limited number of pre-approved applications for the platform, etc.  We work
with enabling for a lot of diverse potential products and it's starting to
become an issue I'm seeing with some frequency.

I was wondering if having a standardized way to set permissions as well as
query them is a thing that would be useful to others.  Think of it as a
sister API to the current Permissions API.  It's probably not relevant to
browser implementers as they already have their own ways to do this, but
I'd like to know if others are starting to see potential pain points with
embedded and IoT devices.

Note that of course this is an API that would need some access controls
itself, as exposing permission management API to all web apps would be a
quick way to make permissions useless.

 Terri
Received on Friday, 31 July 2015 18:45:04 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:14 UTC