W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2016

Re: Permissions store

From: Anne van Kesteren <annevk@annevk.nl>
Date: Thu, 18 Aug 2016 09:44:48 +0200
Message-ID: <CADnb78g-dqN6A+5GFjBkPGV7gHcshkVo8+-LAi1YE_w9LtNTOA@mail.gmail.com>
To: Raymes Khoury <raymes@google.com>
Cc: Martin Thomson <mt@mozilla.com>, Jeffrey Yasskin <jyasskin@google.com>, WebAppSec WG <public-webappsec@w3.org>, Marcos Caceres <marcos@marcosc.com>, Mounir Lamouri <mlamouri@google.com>, Ben Wells <benwells@google.com>
On Thu, Aug 18, 2016 at 7:28 AM, Raymes Khoury <raymes@google.com> wrote:
> For example, what if the UA shows a prompt (in the context of a
> request()) that allows the user to allow the permission for several origins
> at a time? I feel like this could be done in a responsible way by a UA. In
> that case I feel happy about the phrase we have: "New information about the
> user’s intent". If there was no prompt, it wouldn't be nice for that to
> happen, but then that's clearly not "New information about the user’s
> intent".

This is exactly the kind of thing that is problematic. Since if a UA
ships that and sites come to depend on it, other UAs will have to
copy. Requiring changes to the standard for such practices is a good
way to keep everyone informed of competitive pressures.

> Permissions should generally be scoped to origins by default but UAs can
> have such varied UX that it's hard to spec that out in granularity.

I don't think allowing UX to vary to the extent that it influences how
sites are programmed is responsible.

Received on Thursday, 18 August 2016 07:45:17 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:57 UTC