W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2016

Re: Permissions store

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 17 Aug 2016 10:29:00 +0200
Message-ID: <CADnb78jfRm39YECF76Ue5e=a_yNchqm1JPXOZ6z-fhNBxbbKEQ@mail.gmail.com>
To: Martin Thomson <mt@mozilla.com>
Cc: Raymes Khoury <raymes@google.com>, Jeffrey Yasskin <jyasskin@google.com>, WebAppSec WG <public-webappsec@w3.org>, Marcos Caceres <marcos@marcosc.com>, Mounir Lamouri <mlamouri@google.com>, Ben Wells <benwells@google.com>
On Wed, Aug 17, 2016 at 9:43 AM, Martin Thomson <mt@mozilla.com> wrote:
> I don't think that we can reasonably scope this to origin.  At least
> in the sense that a .query() performed in one realm implies - absent
> change in circumstances - the same answer in all other realms in that
> same origin.  Some actions can't be initiated outside of top-level
> browsing contexts, for instance.

Yeah, the thing is that we can guarantee it for certain permissions.
E.g., "persistent-storage" has this quality (and I think notifications
do too, but maybe that got muddy with push), though there is the
third-party cookies setting caveat, but since we haven't really
standardized that I'm not sure the model needs to take it into
account. Disabling third-party cookies is accepting some stuff will
break, it's not a part of the assumed default model.

(This also bugs me when folks drag private browsing mode into the mix.
It changes computing, but it's not the default model or standardized
in anyway.)

>> E.g., the case comes to mind where Chrome wants to require a user
>> gesture before showing a permission which it then grants persistently
>> by default. Whereas Firefox would like to show permissions without
>> gesture but then not grant them persistently by default. If Chrome
>> starts requiring the gesture and sites adopt the gesture pattern due
>> to Chrome's outreach and such, Firefox is either stuck with two clicks
>> each time or adopting by default persistent permissions.
> Is the fact that there has been a click observable from script in any
> reliable way?  I guess that you can show popups and check if they were
> displayed, but that's massively annoying.

Well, you get a click event...

> Where I'm going is that this implies a new entry to the key:
> recent-click.  Well, if any browser wants to gate showing a prompt on
> having clicks.
> That makes .query() less reliable unless we make the recent-click
> state explicit.  I guess the same goes for any top-level flag.

Presumably Chrome would return "granted" for the permission but still
require the gesture. Which I guess arguably doesn't make it part of
the key, but something else? I'm not sure to what extent that has been
thought through.

Received on Wednesday, 17 August 2016 08:29:29 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:57 UTC