W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2016

Re: Permissions store

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 17 Aug 2016 09:30:08 +0200
Message-ID: <CADnb78jWE0dfESnWEoMU51hDeSqyYRJaToe1q4NNzDqU_Cc7gA@mail.gmail.com>
To: Raymes Khoury <raymes@google.com>
Cc: Jeffrey Yasskin <jyasskin@google.com>, WebAppSec WG <public-webappsec@w3.org>, Martin Thomson <mt@mozilla.com>, Marcos Caceres <marcos@marcosc.com>, Mounir Lamouri <mlamouri@google.com>, Ben Wells <benwells@google.com>
On Wed, Aug 17, 2016 at 3:55 AM, Raymes Khoury <raymes@google.com> wrote:
> Hmm, in my mind we sort of have a store implicitly defined in the spec.

Yeah, I'd like it to be more explicit. Defining subsystems in detail
has been paying off thus far.

> The
> key is the entire context of the JS call (including permission, origin,
> etc.). Setting a value corresponds to "new information about the user’s
> intent". This gives the UA a lot of freedom. I think we can define more
> constraints on this boundary if we have consensus (such as the origin one).

I think that would be good. And too much freedom leads to everyone
having to copy the majority user agent as it determines the
programming model around usage, which isn't really good use of our

E.g., the case comes to mind where Chrome wants to require a user
gesture before showing a permission which it then grants persistently
by default. Whereas Firefox would like to show permissions without
gesture but then not grant them persistently by default. If Chrome
starts requiring the gesture and sites adopt the gesture pattern due
to Chrome's outreach and such, Firefox is either stuck with two clicks
each time or adopting by default persistent permissions.

Received on Wednesday, 17 August 2016 07:30:35 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:57 UTC