W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2016

Permissions store

From: Anne van Kesteren <annevk@annevk.nl>
Date: Tue, 9 Aug 2016 11:26:49 +0200
Message-ID: <CADnb78j9U76bLdEVD0ys40Z43XxgpjGJJLXuBZ8YrVMv0CM6ng@mail.gmail.com>
To: WebAppSec WG <public-webappsec@w3.org>
Cc: Jeffrey Yasskin <jyasskin@google.com>, Martin Thomson <mt@mozilla.com>, Marcos Caceres <marcos@marcosc.com>, Mounir Lamouri <mlamouri@google.com>
Apparently the latest agreement for the Permissions specification is
that each permission has a "get" and "request" API and the details of
those operations are up to the user agent.

That does not seem great.

I understand that we might want to vary on the key and even leave some
things user-agent defined. But I think we want all permissions to be
at least keyed by origin. And some permissions, such as storage,
should only be keyed by origin and not some additional bits that are
up to the user agent.

(Of course, if user agents provide ways to have multiple user agents
in a user agent, as with Firefox Container Tabs, that would be an
additional part to the key. As would private browsing mode, but
nothing else that is keyed by origin is concerned with those modes, so
we shouldn't be concerned with it here either, until we expose
features that make those modes visible to the web.)

So I'd like to revisit that agreement and actually get us to clearly
specify the store, including the bits that are user-agent defined,
which is likely something that is decided upon on a per-API basis. The
scope for persistent storage is not necessarily applicable to sharing
the camera, but leaving both openended is not a good solution either.

(It also seems rather bogus architecturally to leave such an important
subsystem entirely up to the user agent and not describe its details.
That will surely bite us later on.)

Received on Tuesday, 9 August 2016 09:27:21 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:57 UTC