W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2016

Re: Permissions store

From: Jeffrey Yasskin <jyasskin@google.com>
Date: Tue, 9 Aug 2016 09:00:47 -0700
Message-ID: <CANh-dXnSO1P1b5bfv08w51jRfx4tYaNevGDY1RLx_Rn6K8odJw@mail.gmail.com>
To: WebAppSec WG <public-webappsec@w3.org>
Cc: Martin Thomson <mt@mozilla.com>, Marcos Caceres <marcos@marcosc.com>, Mounir Lamouri <mlamouri@google.com>, Ben Wells <benwells@google.com>, Anne van Kesteren <annevk@annevk.nl>, Raymes Khoury <raymes@google.com>
Thanks Anne.

For context, the minutes for the previous meeting on this are at

As one of the Permissions editors, I'd like to request that, if this
discussion decides to change the model, y'all should produce a
document that describes it in a more contained form than an email
thread, and then I'll edit that into the spec. Or a PR would be fine
if you're ambitious. You could base a model on my previous attempts at
https://github.com/w3c/permissions/pull/95 and
https://github.com/w3c/permissions/pull/96, or build your own.


On Tue, Aug 9, 2016 at 2:26 AM, Anne van Kesteren <annevk@annevk.nl> wrote:
> Apparently the latest agreement for the Permissions specification is
> that each permission has a "get" and "request" API and the details of
> those operations are up to the user agent.
> That does not seem great.
> I understand that we might want to vary on the key and even leave some
> things user-agent defined. But I think we want all permissions to be
> at least keyed by origin. And some permissions, such as storage,
> should only be keyed by origin and not some additional bits that are
> up to the user agent.
> (Of course, if user agents provide ways to have multiple user agents
> in a user agent, as with Firefox Container Tabs, that would be an
> additional part to the key. As would private browsing mode, but
> nothing else that is keyed by origin is concerned with those modes, so
> we shouldn't be concerned with it here either, until we expose
> features that make those modes visible to the web.)
> So I'd like to revisit that agreement and actually get us to clearly
> specify the store, including the bits that are user-agent defined,
> which is likely something that is decided upon on a per-API basis. The
> scope for persistent storage is not necessarily applicable to sharing
> the camera, but leaving both openended is not a good solution either.
> (It also seems rather bogus architecturally to leave such an important
> subsystem entirely up to the user agent and not describe its details.
> That will surely bite us later on.)
> --
> https://annevankesteren.nl/
Received on Tuesday, 9 August 2016 16:01:43 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:57 UTC