Re: [whatwg] Proposal for a web application descriptor
On 02/08/2011, at 11:50 PM, Ian Hickson wrote: On Wed, 27 Jul 2011, Cameron Heavon-Jones wrote: The mapping of tel and email inputs to a contacts list is functional, not systematic. Might this be extended for some other inputs: date(*), url, search etc? This functionality may be declared and defined through a new attribute, since autocomplete is already used, something like autoassist? Maybe this would be able to over-ride the default file input behaviour of launching a popup in the case i just want to manually enter a file:/// I'm not sure I really understand what you are describing here. Registered as feature request with additional information: http://www.w3.org/Bugs/Public/show_bug.cgi?id=13602 There are definite UX limitations to that approach - the content can't provide visual hinting during the autocomplete, for example (it would be nice if a photo gallery could trim down the set of photos from my friends as I narrow in on the name). This would seems to be ok as long as the contents remain sandboxed until selection is confirmed. Assuming the photos are server-side, there's no way to do this without giving the app essentially full read access to the contacts. My assumption was that this was client-side. It makes no difference though, in the case of file selection through a modal dialog, the requesting page has no knowledge of if the file is coming from a local hard drive or networked resource, this is the power of the abstraction. It works the same for network-only resources. It would be nice for a page\site\app to still be able to access a full contacts list if desired. Though it would seem to extend the integration into the full Contacts API which is of far larger scope. There is definitely a question of whether there should be an API for this specific case or if there are so many that we need a generic solution. Yes, i'm not pursuing a Contacts API however. It's too big in scope when there are simpler and more generic solutions for richer UIs, and which leave browser to distinguish themselves for aesthetics and user preferences. -- Ian Hickson U+1047E)\._.,--,'``.fL http://ln.hixie.ch/ U+263A/, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.' Thanks, Cameron Jones
Re: [whatwg] Proposal for a web application descriptor
On Wed, 27 Jul 2011, Mike Hanson wrote: On Jul 26, 2011, at 2:44 PM, Ian Hickson wrote: On Fri, 29 Apr 2011, Simon Heckmann wrote: I have read a lot in the last month about the future of html and web applications and I am very impressed by the progress this makes. However, I have come across some thing that annoys me: Permissions. I know they are important and I know they are needed but currently I find this quite inconvenient. And with more and more permissions coming up this might get worse so I spent some time thinking about it. [...] In short, the better solution isn't to ask for permissions up-front, but to ask for fewer permissions. The ideal solution is to not ask for any permission but to base the permission on a natural user gesture. For example, drag-and-drop of files to a site doesn't require permissions, but it is an implicit permission grant. Same with input type=file. With getUserMedia() we are doing something similar: instead of asking for permission, the user is asked for a specific input to be selected. snip Indeed. The system shouldn't ask for any permissions. For example instead of reading contact data, it could cause the OS to pop up a contacts list from which you can pick a contact to give access to it to the app. The challenging use case, and one that we had trouble with when we prototyped the Contacts API, is for ongoing or persistent access. The best approach we have right now is to use explicit markup to sandbox the permissions grant away from untrusted code. In the Contacts case, for example, autocomplete of email addresses, names, and phone numbers was a desired use case. A naive approach is to let the web app read the entire database and perform autocompletion in content. The safe approach, which was harder and less flexible, is to attach autocomplete behavior to input type=tel and email, and to set the autocompleted value only when the user has selected it. There are definite UX limitations to that approach - the content can't provide visual hinting during the autocomplete, for example (it would be nice if a photo gallery could trim down the set of photos from my friends as I narrow in on the name). The limitations create an incentive for content to try to get the full set of data anyway, through some other channel. As Roc commented, finding a way to be comfortable with a higher-level permissions grant that persisted over a longer span could be one way to address that. One way to grant access to the whole database is to have the user drag the database into the app. Without knowing more about the concrete use case, though, it's hard to say exactly what the right solution is. Can you elaborate? What kind of application is this for, and what is the expected user interaction? Going forward, it's possible that the address book would actually be just in a Web app, and granting access might really consist of dragging a MessagePort from the address book app to the other app. This would then allow the address book app to grant rights to the other app, including potentially bootstrapping a longer-term relationship (e.g. server-side). On Wed, 27 Jul 2011, Cameron Heavon-Jones wrote: The mapping of tel and email inputs to a contacts list is functional, not systematic. Might this be extended for some other inputs: date(*), url, search etc? This functionality may be declared and defined through a new attribute, since autocomplete is already used, something like autoassist? Maybe this would be able to over-ride the default file input behaviour of launching a popup in the case i just want to manually enter a file:/// I'm not sure I really understand what you are describing here. There are definite UX limitations to that approach - the content can't provide visual hinting during the autocomplete, for example (it would be nice if a photo gallery could trim down the set of photos from my friends as I narrow in on the name). This would seems to be ok as long as the contents remain sandboxed until selection is confirmed. Assuming the photos are server-side, there's no way to do this without giving the app essentially full read access to the contacts. It would be nice for a page\site\app to still be able to access a full contacts list if desired. Though it would seem to extend the integration into the full Contacts API which is of far larger scope. There is definitely a question of whether there should be an API for this specific case or if there are so many that we need a generic solution. -- Ian Hickson U+1047E)\._.,--,'``.fL http://ln.hixie.ch/ U+263A/, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Re: [whatwg] Proposal for a web application descriptor
On 26/07/2011, at 10:44 PM, Ian Hickson wrote: Robert O'Callahan posted a good response: http://weblogs.mozillazine.org/roc/archives/2011/06/permissions_for.html In short, the better solution isn't to ask for permissions up-front, but to ask for fewer permissions. The ideal solution is to not ask for any permission but to base the permission on a natural user gesture. For example, drag-and-drop of files to a site doesn't require permissions, but it is an implicit permission grant. Same with input type=file. With getUserMedia() we are doing something similar: instead of asking for permission, the user is asked for a specific input to be selected. Permission grants are a bug. nice recap and clarity on implicit vs explicit permissions. the concept of asking for permission and how to manage this would seem to remain open for explicit permission grants, the most pressing case being geolocation. might there be more use cases in future? this may open the case for more universal management mechanism through the UA, and potentially a generalized specification? On Sat, 30 Apr 2011, Glenn Maynard wrote: Of course, asking each of these while using the application would also be painfully annoying, and it's not obvious how to make permissions meaningful to the user (eg. when you use its feature) while also scaling to lots of permissions. Indeed. The system shouldn't ask for any permissions. For example instead of reading contact data, it could cause the OS to pop up a contacts list from which you can pick a contact to give access to it to the app. yes, possibly permissions should be viewed not in terms of the resource they may require to access (webcam, mic, printer, etc) but the conceptual user interaction - image\video source, audio source, document serialization, etc... On Sun, 1 May 2011, Robert O'Callahan wrote: Notifications are a particularly hard case for the principle of requesting permissions in response to user action, because the whole point of notifications is that they happen when the user isn't giving the application attention :-). My proposal for notifications was to have them default to being just inside the page (nothing that a div couldn't do), but that they would include explicit UI to promote them to full-system notifications; and vice-versa, so a system notification could be demoted back to just in-page notification with a similar gesture. possibly the interaction should not be with the system but the browser. this leaves any system-level integration in full control of the browser and restricts the specification to a single level of abstraction. On Tue, 3 May 2011, Cameron Heavon-Jones wrote: The quantity of permission requests can be managed in an effective manner by the agent allowing the user to store their preferences for the next command or as a universal setting. That doesn't work. It might be appropriate for Bing Maps to have access to my Geolocation information, but I certainly don't want some random blog to have access to it. Defaults don't work here. the UI concept is that of user preference management, it can apply to permissions, confirmations, or any other user configurable setting. there is no reason geolocation can't be managed in the same way. if i always want bing maps to have access to my location, it would be nice to be able to register that preference. for some random blog that always asks for my location, it would be nice to block it from asking again. it's not defaults, but in-process persistent configuration. For web applications to specify their required permissions would seem to introduce a duplication of specification. If a web application includes an image file upload which the user chooses to capture from webcam, first how is the application to know that the user would use a web cam? There's no need for the app to know. It can just allow the user to upload a photo, and the browser can offer to use the webcam. indeed. I haven't added anythign to the spec in relation to this proposal. the proposal for a web app descriptor for implicit permissions would seem to be debunked, however the greater question of how to manage the explicit geolocation feature is both still open and an issue being encountered today. what concerns me is the interaction between web application\document and browser shell\chrome which is new territory. the concept of background web pages, introducing notification requirements, is also an area requiring active attention. -- Ian Hickson U+1047E)\._.,--,'``.fL http://ln.hixie.ch/ U+263A/, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.' Thanks, Cameron Jones
Re: [whatwg] Proposal for a web application descriptor
On 27/07/2011, at 5:30 PM, Mike Hanson wrote: The challenging use case, and one that we had trouble with when we prototyped the Contacts API, is for ongoing or persistent access. The best approach we have right now is to use explicit markup to sandbox the permissions grant away from untrusted code. In the Contacts case, for example, autocomplete of email addresses, names, and phone numbers was a desired use case. A naive approach is to let the web app read the entire database and perform autocompletion in content. The safe approach, which was harder and less flexible, is to attach autocomplete behavior to input type=tel and email, and to set the autocompleted value only when the user has selected it. This is a sound approach, i'm not sure of the implementation complexities. The mapping of tel and email inputs to a contacts list is functional, not systematic. Might this be extended for some other inputs: date(*), url, search etc? This functionality may be declared and defined through a new attribute, since autocomplete is already used, something like autoassist? Maybe this would be able to over-ride the default file input behaviour of launching a popup in the case i just want to manually enter a file:/// There are definite UX limitations to that approach - the content can't provide visual hinting during the autocomplete, for example (it would be nice if a photo gallery could trim down the set of photos from my friends as I narrow in on the name). This would seems to be ok as long as the contents remain sandboxed until selection is confirmed. The limitations create an incentive for content to try to get the full set of data anyway, through some other channel. As Roc commented, finding a way to be comfortable with a higher-level permissions grant that persisted over a longer span could be one way to address that. It would be nice for a page\site\app to still be able to access a full contacts list if desired. Though it would seem to extend the integration into the full Contacts API which is of far larger scope. -- Michael Hanson, Mozilla Labs Thanks, Cameron Jones
Re: [whatwg] Proposal for a web application descriptor
On Fri, 29 Apr 2011, Simon Heckmann wrote: I have read a lot in the last month about the future of html and web applications and I am very impressed by the progress this makes. However, I have come across some thing that annoys me: Permissions. I know they are important and I know they are needed but currently I find this quite inconvenient. And with more and more permissions coming up this might get worse so I spent some time thinking about it. I have written a short document covering my proposal: www.simonheckmann.de/download/Proposal.pdf (3 pages, ~200KB) It should just take only a few minutes to read and includes examples and screenshots. I am really looking forward to hearing your thoughts on this. Please feel free to share this idea with whomever you want to. If you think I should post this proposal somewhere else please say so. Robert O'Callahan posted a good response: http://weblogs.mozillazine.org/roc/archives/2011/06/permissions_for.html In short, the better solution isn't to ask for permissions up-front, but to ask for fewer permissions. The ideal solution is to not ask for any permission but to base the permission on a natural user gesture. For example, drag-and-drop of files to a site doesn't require permissions, but it is an implicit permission grant. Same with input type=file. With getUserMedia() we are doing something similar: instead of asking for permission, the user is asked for a specific input to be selected. Permission grants are a bug. On Sat, 30 Apr 2011, Glenn Maynard wrote: I'd wonder what their response is to Android; the problems on that platform are obvious. The result is exactly as you say: people end up giving up and just accepting everything. (The permissions request for Skype includes: read contact data, write contact data, coarse (network-based) location, full Internet access, act as an account authenticator, manage the accounts list, user the authentication credentials of an account, modify/delete USB storage contents, change your audio settings, record audio, read phone state and identity, disable keylock, modify global system settings, prevent phone from sleeping, retrieve running applications, write sync settings, view network state, view Wi-Fi state, control vibrator, read sync settings, read sync statistics, discover known accounts. It's hopeless; if take out a mortgage on your house was in there, nobody would notice.) Of course, asking each of these while using the application would also be painfully annoying, and it's not obvious how to make permissions meaningful to the user (eg. when you use its feature) while also scaling to lots of permissions. Indeed. The system shouldn't ask for any permissions. For example instead of reading contact data, it could cause the OS to pop up a contacts list from which you can pick a contact to give access to it to the app. On Sun, 1 May 2011, Robert O'Callahan wrote: Notifications are a particularly hard case for the principle of requesting permissions in response to user action, because the whole point of notifications is that they happen when the user isn't giving the application attention :-). My proposal for notifications was to have them default to being just inside the page (nothing that a div couldn't do), but that they would include explicit UI to promote them to full-system notifications; and vice-versa, so a system notification could be demoted back to just in-page notification with a similar gesture. On Tue, 3 May 2011, Cameron Heavon-Jones wrote: The quantity of permission requests can be managed in an effective manner by the agent allowing the user to store their preferences for the next command or as a universal setting. That doesn't work. It might be appropriate for Bing Maps to have access to my Geolocation information, but I certainly don't want some random blog to have access to it. Defaults don't work here. For web applications to specify their required permissions would seem to introduce a duplication of specification. If a web application includes an image file upload which the user chooses to capture from webcam, first how is the application to know that the user would use a web cam? There's no need for the app to know. It can just allow the user to upload a photo, and the browser can offer to use the webcam. I haven't added anythign to the spec in relation to this proposal. -- Ian Hickson U+1047E)\._.,--,'``.fL http://ln.hixie.ch/ U+263A/, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Re: [whatwg] Proposal for a web application descriptor
On Thu, 05 May 2011 21:41:24 +0200, Bjartur Thorlacius svartma...@gmail.com wrote: On 5/5/11, Charles McCathieNevile cha...@opera.com wrote: On Thu, 05 May 2011 00:12:06 +0200, Bjartur Thorlacius svartma...@gmail.com wrote: On 5/3/11, Cameron Heavon-Jones cmhjo...@gmail.com wrote: There are a number of resources which are thought of having an 'application' scope which may make sense to be collated into a single manifest and with the ability for an agent to manage it as such. Yeah, if a single entity edits and signs multiple resources, it's unreasonable to trust one but not another. If I understand correctly, I disagree. I might trust a given entity sometimes, or with some kinds of information, without wanting to simply say sure whatever you want. That's probably for the hard-to-use mode in the UI, but I think it's legitimate. In practice, even given something as simple as twitter's geolocation request I *sometimes* allow it to know where I am and sometimes don't. In that case you wouldn't grant anyone a carte blanche access to your location, but authorize or forbid each request. I meant that users probably wouldn't want to permanently authorize http://twitter.com/A but not http://twitter.com/. Of course, if the site requests coordinates, it's up to the user whether they come from /dev/gps or /dev/tty (or /n/3D Globe). Yeah, in principle. But given that most users aren't going to symlink /dev/gps via their hand-crafted code to decide what to say (largely because browsers just ask Google where you are instead based on visible Wifi) in practice the question is how to build reasonable UI that the users actually understand. cheers Chaals -- Charles McCathieNevile Opera Software, Standards Group je parle français -- hablo español -- jeg lærer norsk http://my.opera.com/chaals Try Opera: http://www.opera.com
Re: [whatwg] Proposal for a web application descriptor
On 5/6/11, Charles McCathieNevile cha...@opera.com wrote: On Thu, 05 May 2011 21:41:24 +0200, Bjartur Thorlacius Of course, if the site requests coordinates, it's up to the user whether they come from /dev/gps or /dev/tty (or /n/3D Globe). Yeah, in principle. But given that most users aren't going to symlink /dev/gps via their hand-crafted code to decide what to say (largely because browsers just ask Google where you are instead based on visible Wifi) in practice the question is how to build reasonable UI that the users actually understand. The point was that they user could choose between the location provided by their GPS and Click on a spot on the globe representing the Earth (ignoring whether the selection is the user's location or not). This would force users to make an informed choice (as there's no button labeled OK).
Re: [whatwg] Proposal for a web application descriptor
On Fri, 06 May 2011 14:54:55 +0200, Bjartur Thorlacius svartma...@gmail.com wrote: On 5/6/11, Charles McCathieNevile cha...@opera.com wrote: On Thu, 05 May 2011 21:41:24 +0200, Bjartur Thorlacius Of course, if the site requests coordinates, it's up to the user whether they come from /dev/gps or /dev/tty (or /n/3D Globe). Yeah, in principle. But given that most users aren't going to symlink /dev/gps via their hand-crafted code to decide what to say (largely because browsers just ask Google where you are instead based on visible Wifi) in practice the question is how to build reasonable UI that the users actually understand. The point was that they user could choose between the location provided by their GPS and Click on a spot on the globe representing the Earth (ignoring whether the selection is the user's location or not). This would force users to make an informed choice (as there's no button labeled OK). Aha. Nice. I've been putting together something like that on and off for a couple of days actually, so I don't know why I didn't get it the first time :S cheers -- Charles McCathieNevile Opera Software, Standards Group je parle français -- hablo español -- jeg lærer norsk http://my.opera.com/chaals Try Opera: http://www.opera.com
Re: [whatwg] Proposal for a web application descriptor
On Thu, May 5, 2011 at 6:08 PM, Charles McCathieNevile cha...@opera.com wrote: There is a Unite application for Opera that does this - http://unite.opera.com/application/701/ Wow! I'll install it on Sunday (my day ends in a few minutes) thanks you just made my weekend :)
Re: [whatwg] Proposal for a web application descriptor
On Thu, 05 May 2011 00:12:06 +0200, Bjartur Thorlacius svartma...@gmail.com wrote: On 5/3/11, Cameron Heavon-Jones cmhjo...@gmail.com wrote: There are a number of resources which are thought of having an 'application' scope which may make sense to be collated into a single manifest and with the ability for an agent to manage it as such. Yeah, if a single entity edits and signs multiple resources, it's unreasonable to trust one but not another. If I understand correctly, I disagree. I might trust a given entity sometimes, or with some kinds of information, without wanting to simply say sure whatever you want. That's probably for the hard-to-use mode in the UI, but I think it's legitimate. In practice, even given something as simple as twitter's geolocation request I *sometimes* allow it to know where I am and sometimes don't. I understand that complicating the UI for this makes the simple things hard, which is wrong. But the complicated things should be possible - and given the current trend in privacy requirements in Europe, it's probably a good idea to make it at least *possible* to do something more detailed than the *all or nothing* approach for those service providers who want to differentiate by allowing for a more graded approach and the users who want to take advantage of that. cheers Chaals -- Charles McCathieNevile Opera Software, Standards Group je parle français -- hablo español -- jeg lærer norsk http://my.opera.com/chaals Try Opera: http://www.opera.com
Re: [whatwg] Proposal for a web application descriptor
On Thu, May 5, 2011 at 9:13 AM, Charles McCathieNevile cha...@opera.com wrote: If I understand correctly, I disagree. :) I might trust a given entity sometimes, or with some kinds of information, without wanting to simply say sure whatever you want. And I'm still haunted by web sites which pester me to click on things before allowing access to content. It's pretty clear that if we let web sites hold users for ransom, they will (privacy be damned). So we really should have a model of privacy secured by default. That's probably for the hard-to-use mode in the UI, but I think it's legitimate. I'm hoping it isn't that hard. In practice, even given something as simple as twitter's geolocation request I *sometimes* allow it to know where I am and sometimes don't. I'm hoping we'll eventually move to a model where users are able to provide default values for things, e.g. If anyone asks [about GeoPositioning], I'm in Paris (I'm currently sick in HEL, but no one needs to know that). Or If anyone wants to see what's outside my window [i.e. visible from my Camera], show them this picture I took the last time I had sunlight (In case my cave doesn't have any lighting). When a site accesses this information, it should show the user the information it accesses, and the user (being the one who selected the information) will understand what it means, if the user wants to give a different GPS, Picture, etc. to the application, the user would trigger a site option, and say allow twitter to see my current Location until I get distracted, for this session, until 2pm, forever. Someday I'll try to make a decent mock up of this, I think I'll eventually publish something @ http://timeless.justdave.net/blog/182/ (no, that url isn't finished, it's only finished when I publish it in my atom feed)
Re: [whatwg] Proposal for a web application descriptor
On 04/05/2011, at 11:12 PM, Bjartur Thorlacius wrote: The quantity of permission requests can be managed in an effective manner by the agent allowing the user to store their preferences for the next command or as a universal setting. If you manage to inform users that they'd then be authorizing for every purpose, usually without notice, not just for obeying the previous command. I meant that the authorization preferences would need to be stored on an application-by-application basis for it to make any sense. If a user authorizes an app to use a restricted resource, they could be prompted as to whether that resource should have access granted for future actions. There could also be the possibility of allowing - or at least being able to specify - authorization at a global level. Something like - grant all applications access to the webcam. Or in other words to remove any restrictions from a resource. This is similar to what firefox does for launching unknown file types, session restore, or lots of other functions, although it would be in the context of a web application itself. How so? I see this behaviour in lots of desktop applications, not only for authorization requests but any kind of repeated confirmation dialog. In firefox the first time you close the browser it asks if you would like it to store the current session for restoration at next startup, this is always shown for a fresh install but the dialog has a checkbox for whether the user would like firefox to remember their preference and apply that preference without confirmation next time firefox shuts down. I also see this behaviour in Eclipse, which was one of the first desktop applications i was aware of to use this UI pattern. It is valuable as it maintains that the initial default should be to inform and ask the user what to do, but also makes it easy for the user to specify that they never want to be asked again. For web applications to specify their required permissions would seem to introduce a duplication of specification. If a web application includes an image file upload which the user chooses to capture from webcam, first how is the application to know that the user would use a web cam? and second It isn't to know, nor to care. It receives an image, not a camera. Yes, i thought about this some more and i'm less certain of a direct need for a system-level (OS) resource authorization mechanism. Why would a user need to be asked if they want to use their own camera? If they have clicked on a file upload, the OS has displayed a file dialog box, then they have chosen to capture from webcam - why would they need to be asked if that was authorized? Since the command is from direct user action, and the dialog box is an OS user interface, where is the need for a user to confirm that what they're doing should be allowed? Web sites\Web applications are already isolated from the underlying OS and protected from directly accessing system resources. They operate under direct user action and not as demon processes so the user is always both the source of command and, of course, the authority for granting permission. So, without consideration for future APIs, what system-resource authorization is actually required by a web application? The main driver for this would seem to be access to a user's geo location. This is more a request for information, not really for resource access. It might be better to think about the problem specifically within this use-case and how it should be applied as i am unsure of any need for additional authorization mechanisms at present. There are a number of resources which are thought of having an 'application' scope which may make sense to be collated into a single manifest and with the ability for an agent to manage it as such. Yeah, if a single entity edits and signs multiple resources, it's unreasonable to trust one but not another. My personal opinion is that what this proposal really highlights the need for is a method of packaging or defining the scope and context of what a Web Application is and its boundaries within a URI space. Without this user agents will not have the context necessary to provide configuration and management of applications other than over an entire domain xor a single page. Thanks, Cameron Jones
Re: [whatwg] Proposal for a web application descriptor
On 05/05/2011, at 7:13 AM, Charles McCathieNevile wrote: On Thu, 05 May 2011 00:12:06 +0200, Bjartur Thorlacius svartma...@gmail.com wrote: On 5/3/11, Cameron Heavon-Jones cmhjo...@gmail.com wrote: There are a number of resources which are thought of having an 'application' scope which may make sense to be collated into a single manifest and with the ability for an agent to manage it as such. Yeah, if a single entity edits and signs multiple resources, it's unreasonable to trust one but not another. If I understand correctly, I disagree. I might trust a given entity sometimes, or with some kinds of information, without wanting to simply say sure whatever you want. That's probably for the hard-to-use mode in the UI, but I think it's legitimate. In practice, even given something as simple as twitter's geolocation request I *sometimes* allow it to know where I am and sometimes don't. Yes, i would regard geo location to be dependant on other factors than just who is requesting the information. In private scenarios i may want an app to always have access to my location if it is just augmenting or fixing an information service around my location, but in the case of publishing like twitter i would only want to grant access to that information on a case by case basis probably defaulting to no. There is the problem with granting access to location that once it is given it can not be rescinded, at least for a unique session and not accounting for the user moving around. cam
Re: [whatwg] Proposal for a web application descriptor
On 05/05/2011, at 8:30 AM, timeless wrote: On Thu, May 5, 2011 at 9:13 AM, Charles McCathieNevile cha...@opera.com wrote: In practice, even given something as simple as twitter's geolocation request I *sometimes* allow it to know where I am and sometimes don't. I'm hoping we'll eventually move to a model where users are able to provide default values for things, e.g. If anyone asks [about GeoPositioning], I'm in Paris (I'm currently sick in HEL, but no one needs to know that). That sounds like a pretty cool feature, whoever said that the UA had to tell the truth! :) It definitely puts the user in control. cam
Re: [whatwg] Proposal for a web application descriptor
On Thu, 05 May 2011 16:39:53 +0200, Cameron Heavon-Jones cmhjo...@gmail.com wrote: On 05/05/2011, at 8:30 AM, timeless wrote: On Thu, May 5, 2011 at 9:13 AM, Charles McCathieNevile cha...@opera.com wrote: In practice, even given something as simple as twitter's geolocation request I *sometimes* allow it to know where I am and sometimes don't. I'm hoping we'll eventually move to a model where users are able to provide default values for things, e.g. If anyone asks [about GeoPositioning], I'm in Paris (I'm currently sick in HEL, but no one needs to know that). That sounds like a pretty cool feature, whoever said that the UA had to tell the truth! :) It definitely puts the user in control. There is a Unite application for Opera that does this - http://unite.opera.com/application/701/ cheers -- Charles McCathieNevile Opera Software, Standards Group je parle français -- hablo español -- jeg lærer norsk http://my.opera.com/chaals Try Opera: http://www.opera.com
Re: [whatwg] Proposal for a web application descriptor
On 5/5/11, Charles McCathieNevile cha...@opera.com wrote: On Thu, 05 May 2011 00:12:06 +0200, Bjartur Thorlacius svartma...@gmail.com wrote: On 5/3/11, Cameron Heavon-Jones cmhjo...@gmail.com wrote: There are a number of resources which are thought of having an 'application' scope which may make sense to be collated into a single manifest and with the ability for an agent to manage it as such. Yeah, if a single entity edits and signs multiple resources, it's unreasonable to trust one but not another. If I understand correctly, I disagree. I might trust a given entity sometimes, or with some kinds of information, without wanting to simply say sure whatever you want. That's probably for the hard-to-use mode in the UI, but I think it's legitimate. In practice, even given something as simple as twitter's geolocation request I *sometimes* allow it to know where I am and sometimes don't. In that case you wouldn't grant anyone a carte blanche access to your location, but authorize or forbid each request. I meant that users probably wouldn't want to permanently authorize http://twitter.com/A but not http://twitter.com/. Of course, if the site requests coordinates, it's up to the user whether they come from /dev/gps or /dev/tty (or /n/3D Globe).
Re: [whatwg] Proposal for a web application descriptor
On 5/3/11, Cameron Heavon-Jones cmhjo...@gmail.com wrote: I would agree a command-level authorization is a better default, if only because it is necessary to have this level of granularity available. Agreed. The quantity of permission requests can be managed in an effective manner by the agent allowing the user to store their preferences for the next command or as a universal setting. If you manage to inform users that they'd then be authorizing for every purpose, usually without notice, not just for obeying the previous command. This is similar to what firefox does for launching unknown file types, session restore, or lots of other functions, although it would be in the context of a web application itself. How so? [snip stuff I completely agree with] For web applications to specify their required permissions would seem to introduce a duplication of specification. If a web application includes an image file upload which the user chooses to capture from webcam, first how is the application to know that the user would use a web cam? and second It isn't to know, nor to care. It receives an image, not a camera. what additional information is being specified in the permissions descriptor which wasn't already deductible from the inclusion of a file upload? This would additionally impose the scenario where applications include the use of some restricted system resource but fail to document the use in their descriptor, not an insurmountable problem but it draws any usefulness into question. Same problem as with Firefox on Android. There are a number of resources which are thought of having an 'application' scope which may make sense to be collated into a single manifest and with the ability for an agent to manage it as such. Yeah, if a single entity edits and signs multiple resources, it's unreasonable to trust one but not another.
Re: [whatwg] Proposal for a web application descriptor
On 02/05/2011, at 10:47 AM, Henri Sivonen wrote: On Sat, 2011-04-30 at 09:52 -0400, Glenn Maynard wrote: Asking for specific permissions in the context of a user action is the only model that makes sense to me. When applications ask for a big bundle of permissions in advance, how can I as a user know what to do? I'm sure to get into a habit of either blindly denying the permissions (crippling applications), or granting the permissions (terrible for security). There's also the problem that legitimate permission requests that lack context make people who understand the implications needlessly cautious. For example, some of my friends were suspicious of Firefox for Android wanting access to geolocation. The request for the permission wasn't in the context of an explanation of how Firefox uses that system API to implement the Web geolocation API and has its own authorization UI layer on top of it. (I think asking for a specific permission in the context of a user interaction is better than asking for a bunch of stuff up front.) -- Henri Sivonen hsivo...@iki.fi http://hsivonen.iki.fi/ I would agree a command-level authorization is a better default, if only because it is necessary to have this level of granularity available. The quantity of permission requests can be managed in an effective manner by the agent allowing the user to store their preferences for the next command or as a universal setting. This is similar to what firefox does for launching unknown file types, session restore, or lots of other functions, although it would be in the context of a web application itself. The case for an application-level permissions descriptor would seem to make more sense for desktop-style applications or browser plugins - in these scenarios the application may require permissions to be granted up front due to the potential background operation of the applications. On the web, applications are virtually by definition limited to operating only from direct user action and should not require such up front permission. For web applications to specify their required permissions would seem to introduce a duplication of specification. If a web application includes an image file upload which the user chooses to capture from webcam, first how is the application to know that the user would use a web cam? and second what additional information is being specified in the permissions descriptor which wasn't already deductible from the inclusion of a file upload? This would additionally impose the scenario where applications include the use of some restricted system resource but fail to document the use in their descriptor, not an insurmountable problem but it draws any usefulness into question. It would seem that a problem is not how to request the granting of permissions but how to store the user's preference within the context of an arbitrary web application, ie what is the boundary of delineation? Domain, Site or Page? There are a number of resources which are thought of having an 'application' scope which may make sense to be collated into a single manifest and with the ability for an agent to manage it as such. Thanks, Cameron Jones
Re: [whatwg] Proposal for a web application descriptor
On Sat, 2011-04-30 at 09:52 -0400, Glenn Maynard wrote: Asking for specific permissions in the context of a user action is the only model that makes sense to me. When applications ask for a big bundle of permissions in advance, how can I as a user know what to do? I'm sure to get into a habit of either blindly denying the permissions (crippling applications), or granting the permissions (terrible for security). While some Mozilla developers may think big bundle of permissions is a good idea, others such as me do not. I'd wonder what their response is to Android; the problems on that platform are obvious. The result is exactly as you say: people end up giving up and just accepting everything. There's also the problem that legitimate permission requests that lack context make people who understand the implications needlessly cautious. For example, some of my friends were suspicious of Firefox for Android wanting access to geolocation. The request for the permission wasn't in the context of an explanation of how Firefox uses that system API to implement the Web geolocation API and has its own authorization UI layer on top of it. (I think asking for a specific permission in the context of a user interaction is better than asking for a bunch of stuff up front.) -- Henri Sivonen hsivo...@iki.fi http://hsivonen.iki.fi/
Re: [whatwg] Proposal for a web application descriptor
Hello everyone, After reading all your comments I partly re-tought some of my ideas. First of all it might not be the best idea to create a full application descriptor if it would only be used to specify permissions. Additionally, I can see why people do not want to be asked for all permissions at once. However, I on the other hand do not want to be asked for all permissions separately. After reading some of the links posted in this discussion I modified my proposal a little. You can find the new version here: http://www.simonheckmann.de/proposal/draft2 While the first part has not changed much, the second part is all-new and includes two completely re-modeled mock-ups. Again, comments are welcome. Kind regards, Simon Heckmann Am 30.04.2011 um 17:23 schrieb Robert O'Callahan: On Sun, May 1, 2011 at 1:52 AM, Glenn Maynard gl...@zewt.org wrote: On Sat, Apr 30, 2011 at 5:23 AM, Robert O'Callahan rob...@ocallahan.org wrote: The application could have a settings page with a checkbox Enable desktop notifications. When you click on that box, the browser shows its (passive, asynchronous) UI for enabling desktop notifications for that application. This still implies having an API to ask for permission for a feature before using it. (Web Notifications has a draft for this: http://dev.w3.org/2006/webapi/WebNotifications/publish/FeaturePermissions.html .) Also, many developers won't want a UI like that, since when you disable a feature and expect users to enable it in settings, a lot of them won't. Many people never look at settings pages at all. Pages are more likely to request permissions as soon as they can. Notifications are a particularly hard case for the principle of requesting permissions in response to user action, because the whole point of notifications is that they happen when the user isn't giving the application attention :-). Another possible approach would be to have the default be for notifications to show up in browser UI associated with the page --- e.g., highlight the tab title and show the notification(s) at the top of the page if you switch to the tab --- and in that notification-showing UI, offer a show on desktop button which lets the notifications for that application migrate to the desktop --- effectively a permission grant. Of course, asking each of these while using the application would also be painfully annoying, and it's not obvious how to make permissions meaningful to the user (eg. when you use its feature) while also scaling to lots of permissions. I think we have to consider specific cases. For Skype, it depends on whether all those permissions are really needed, and why... It might not be that hard to figure out how to make on-demand permission grants intelligible. We owe it to users to try. Rob -- Now the Bereans were of more noble character than the Thessalonians, for they received the message with great eagerness and examined the Scriptures every day to see if what Paul said was true. [Acts 17:11]
Re: [whatwg] Proposal for a web application descriptor
Hi Simon, Just to be certain, I'd like to ask if You are targeting desktop browser in mobile devices, such as iPad and iPhones, as well, or is Your proposal focused on PC/laptop devices? Kind Regards Göran On 2011-05-01 16.49, Simon Heckmann si...@simonheckmann.de wrote: Hello everyone, After reading all your comments I partly re-tought some of my ideas. First of all it might not be the best idea to create a full application descriptor if it would only be used to specify permissions. Additionally, I can see why people do not want to be asked for all permissions at once. However, I on the other hand do not want to be asked for all permissions separately. After reading some of the links posted in this discussion I modified my proposal a little. You can find the new version here: http://www.simonheckmann.de/proposal/draft2 While the first part has not changed much, the second part is all-new and includes two completely re-modeled mock-ups. Again, comments are welcome. Kind regards, Simon Heckmann Am 30.04.2011 um 17:23 schrieb Robert O'Callahan: On Sun, May 1, 2011 at 1:52 AM, Glenn Maynard gl...@zewt.org wrote: On Sat, Apr 30, 2011 at 5:23 AM, Robert O'Callahan rob...@ocallahan.org wrote: The application could have a settings page with a checkbox Enable desktop notifications. When you click on that box, the browser shows its (passive, asynchronous) UI for enabling desktop notifications for that application. This still implies having an API to ask for permission for a feature before using it. (Web Notifications has a draft for this: http://dev.w3.org/2006/webapi/WebNotifications/publish/FeaturePermission s.html .) Also, many developers won't want a UI like that, since when you disable a feature and expect users to enable it in settings, a lot of them won't. Many people never look at settings pages at all. Pages are more likely to request permissions as soon as they can. Notifications are a particularly hard case for the principle of requesting permissions in response to user action, because the whole point of notifications is that they happen when the user isn't giving the application attention :-). Another possible approach would be to have the default be for notifications to show up in browser UI associated with the page --- e.g., highlight the tab title and show the notification(s) at the top of the page if you switch to the tab --- and in that notification-showing UI, offer a show on desktop button which lets the notifications for that application migrate to the desktop --- effectively a permission grant. Of course, asking each of these while using the application would also be painfully annoying, and it's not obvious how to make permissions meaningful to the user (eg. when you use its feature) while also scaling to lots of permissions. I think we have to consider specific cases. For Skype, it depends on whether all those permissions are really needed, and why... It might not be that hard to figure out how to make on-demand permission grants intelligible. We owe it to users to try. Rob -- Now the Bereans were of more noble character than the Thessalonians, for they received the message with great eagerness and examined the Scriptures every day to see if what Paul said was true. [Acts 17:11]
Re: [whatwg] Proposal for a web application descriptor
Am 30.04.2011 um 01:41 schrieb Glenn Maynard gl...@zewt.org: On Fri, Apr 29, 2011 at 6:40 PM, Simon Heckmann si...@simonheckmann.dewrote: Some challenges include: * how to justify the request to the user being asked to grant the privileges starting with a text string and a link to more information Well, this is what I thought of: The users visit a website they have never visited before. A notifications pops up allowing them to set all permissions required for this page. The users might not trust the site yet so they do not grant all permissions immediately. There's a more common issue: when you ask me for a bunch of permissions at once, I don't know why you want them. This happens constantly with Android apps: you install a simple notepad or clock app, and it'll ask for Internet access and the ability to make phone calls, and you don't know why. This is why--in general--I like the model so far: the user is asked for permission in response to actually doing something that uses a feature. In the notepad app, you're asked for permission to access the internet when you select sync notes to your desktop PC; it's immediately obvious why it's asking for it. (That's an Android example, of course, not a web app example.) Hopefully the ultimate solution will deal with both, allowing UAs the option of asking all at once or on-demand, depending on the situation. (Some permissions inherently have to be asked in advance, like Web Notifications, which doesn't happen in response to a user action.) -- Glenn Maynard I agree: That is why the example you quote from my previous mail went on like this: As the users continue to use the page, the web site could check the status of the permission using javascript and remind the user to rethink his permission settings: This site would like to access your camera to scan for a barcode. If you want to use this feature, please use the global permissions dialog to set them. This way users that trust/know the application can give permissions directly while others might grant permissions one at the time. Thats why I like the idea of a consolidated dialog. The user could always quicky return to it and maintain all permissions at once.
Re: [whatwg] Proposal for a web application descriptor
On Sat, Apr 30, 2011 at 11:41 AM, Glenn Maynard gl...@zewt.org wrote: This is why--in general--I like the model so far: the user is asked for permission in response to actually doing something that uses a feature. In the notepad app, you're asked for permission to access the internet when you select sync notes to your desktop PC; it's immediately obvious why it's asking for it. (That's an Android example, of course, not a web app example.) Hopefully the ultimate solution will deal with both, allowing UAs the option of asking all at once or on-demand, depending on the situation. (Some permissions inherently have to be asked in advance, like Web Notifications, which doesn't happen in response to a user action.) The application could have a settings page with a checkbox Enable desktop notifications. When you click on that box, the browser shows its (passive, asynchronous) UI for enabling desktop notifications for that application. Asking for specific permissions in the context of a user action is the only model that makes sense to me. When applications ask for a big bundle of permissions in advance, how can I as a user know what to do? I'm sure to get into a habit of either blindly denying the permissions (crippling applications), or granting the permissions (terrible for security). While some Mozilla developers may think big bundle of permissions is a good idea, others such as me do not. Rob -- Now the Bereans were of more noble character than the Thessalonians, for they received the message with great eagerness and examined the Scriptures every day to see if what Paul said was true. [Acts 17:11]
Re: [whatwg] Proposal for a web application descriptor
On Sat, Apr 30, 2011 at 3:30 AM, Simon Heckmann si...@simonheckmann.dewrote: I agree: That is why the example you quote from my previous mail went on like this: As the users continue to use the page, the web site could check the status of the permission using javascript and remind the user to rethink his permission settings: This site would like to access your camera to scan for a barcode. If you want to use this feature, please use the global permissions dialog to set them. This way users that trust/know the application can give permissions directly while others might grant permissions one at the time. Thats why I like the idea of a consolidated dialog. The user could always quicky return to it and maintain all permissions at once. This is what I was cautioning against. Scripts prompting manually is both a bad API and bad UI. Scripts shouldn't pop up a message telling the user to track down some other UI; they should simply attempt to use what they want to use, so the browser can just ask. On Sat, Apr 30, 2011 at 5:23 AM, Robert O'Callahan rob...@ocallahan.org wrote: The application could have a settings page with a checkbox Enable desktop notifications. When you click on that box, the browser shows its (passive, asynchronous) UI for enabling desktop notifications for that application. This still implies having an API to ask for permission for a feature before using it. (Web Notifications has a draft for this: http://dev.w3.org/2006/webapi/WebNotifications/publish/FeaturePermissions.html .) Also, many developers won't want a UI like that, since when you disable a feature and expect users to enable it in settings, a lot of them won't. Many people never look at settings pages at all. Pages are more likely to request permissions as soon as they can. Asking for specific permissions in the context of a user action is the only model that makes sense to me. When applications ask for a big bundle of permissions in advance, how can I as a user know what to do? I'm sure to get into a habit of either blindly denying the permissions (crippling applications), or granting the permissions (terrible for security). While some Mozilla developers may think big bundle of permissions is a good idea, others such as me do not. I'd wonder what their response is to Android; the problems on that platform are obvious. The result is exactly as you say: people end up giving up and just accepting everything. (The permissions request for Skype includes: read contact data, write contact data, coarse (network-based) location, full Internet access, act as an account authenticator, manage the accounts list, user the authentication credentials of an account, modify/delete USB storage contents, change your audio settings, record audio, read phone state and identity, disable keylock, modify global system settings, prevent phone from sleeping, retrieve running applications, write sync settings, view network state, view Wi-Fi state, control vibrator, read sync settings, read sync statistics, discover known accounts. It's hopeless; if take out a mortgage on your house was in there, nobody would notice.) Of course, asking each of these while using the application would also be painfully annoying, and it's not obvious how to make permissions meaningful to the user (eg. when you use its feature) while also scaling to lots of permissions. -- Glenn Maynard
Re: [whatwg] Proposal for a web application descriptor
On Sun, May 1, 2011 at 1:52 AM, Glenn Maynard gl...@zewt.org wrote: On Sat, Apr 30, 2011 at 5:23 AM, Robert O'Callahan rob...@ocallahan.org wrote: The application could have a settings page with a checkbox Enable desktop notifications. When you click on that box, the browser shows its (passive, asynchronous) UI for enabling desktop notifications for that application. This still implies having an API to ask for permission for a feature before using it. (Web Notifications has a draft for this: http://dev.w3.org/2006/webapi/WebNotifications/publish/FeaturePermissions.html .) Also, many developers won't want a UI like that, since when you disable a feature and expect users to enable it in settings, a lot of them won't. Many people never look at settings pages at all. Pages are more likely to request permissions as soon as they can. Notifications are a particularly hard case for the principle of requesting permissions in response to user action, because the whole point of notifications is that they happen when the user isn't giving the application attention :-). Another possible approach would be to have the default be for notifications to show up in browser UI associated with the page --- e.g., highlight the tab title and show the notification(s) at the top of the page if you switch to the tab --- and in that notification-showing UI, offer a show on desktop button which lets the notifications for that application migrate to the desktop --- effectively a permission grant. Of course, asking each of these while using the application would also be painfully annoying, and it's not obvious how to make permissions meaningful to the user (eg. when you use its feature) while also scaling to lots of permissions. I think we have to consider specific cases. For Skype, it depends on whether all those permissions are really needed, and why... It might not be that hard to figure out how to make on-demand permission grants intelligible. We owe it to users to try. Rob -- Now the Bereans were of more noble character than the Thessalonians, for they received the message with great eagerness and examined the Scriptures every day to see if what Paul said was true. [Acts 17:11]
[whatwg] Proposal for a web application descriptor
Hello everyone, I have read a lot in the last month about the future of html and web applications and I am very impressed by the progress this makes. However, I have come across some thing that annoys me: Permissions. I know they are important and I know they are needed but currently I find this quite inconvenient. And with more and more permissions coming up this might get worse so I spent some time thinking about it. I have written a short document covering my proposal: www.simonheckmann.de/download/Proposal.pdf (3 pages, ~200KB) It should just take only a few minutes to read and includes examples and screenshots. I am really looking forward to hearing your thoughts on this. Please feel free to share this idea with whomever you want to. If you think I should post this proposal somewhere else please say so. Kind regards, Simon Heckmann
Re: [whatwg] Proposal for a web application descriptor
On Fri, Apr 29, 2011 at 9:39 AM, Simon Heckmann si...@simonheckmann.de wrote: I have written a short document covering my proposal: www.simonheckmann.de/download/Proposal.pdf (3 pages, ~200KB) I can't open this PDF in Preview. -- Benjamin Hawkes-Lewis
Re: [whatwg] Proposal for a web application descriptor
Fixed! Am 29.04.2011 um 10:52 schrieb Benjamin Hawkes-Lewis: On Fri, Apr 29, 2011 at 9:39 AM, Simon Heckmann si...@simonheckmann.de wrote: I have written a short document covering my proposal: www.simonheckmann.de/download/Proposal.pdf (3 pages, ~200KB) I can't open this PDF in Preview. -- Benjamin Hawkes-Lewis Sorry for the inconveniences! I tried it in Acrobat and it worked flawlessly. I uploaded it again and it now displays in Preview as well. I hope this fixes it for you, too! Kind regards, Simon Heckmann
Re: [whatwg] Proposal for a web application descriptor
Hello again, As requested I updated the proposal to contain screenshots from English browser versions now. You can always find the latest version on http://www.simonheckmann.de/download/Proposal.pdf. Additionally, I created an HTML version of the file which might come in handy for some readers: http://www.simonheckmann.de/proposal/. Kind regards, Simon Heckmann Am 29.04.2011 um 11:03 schrieb Simon Heckmann: Fixed! Am 29.04.2011 um 10:52 schrieb Benjamin Hawkes-Lewis: On Fri, Apr 29, 2011 at 9:39 AM, Simon Heckmann si...@simonheckmann.de wrote: I have written a short document covering my proposal: www.simonheckmann.de/download/Proposal.pdf (3 pages, ~200KB) I can't open this PDF in Preview. -- Benjamin Hawkes-Lewis Sorry for the inconveniences! I tried it in Acrobat and it worked flawlessly. I uploaded it again and it now displays in Preview as well. I hope this fixes it for you, too! Kind regards, Simon Heckmann
Re: [whatwg] Proposal for a web application descriptor
You may also want to look at the ideas being floated by Mozilla and others for installed web apps to request extra privileges. This is expected to lead to a new W3C Working Group within a few months from now, and I am hoping to see progress on being able to run the browser in a locked down mode that is more secure than is the default for web pages today (e.g. no eval, constrained innerHTML), and to then make a single request for a list of privileges: http://dougt.org/wordpress/2011/03/device-api-permission-management/ http://groups.google.com/group/mozilla-labs/browse_thread/thread/e592b27e54b7f857 http://dev.w3.org/2009/dap/docs/feat-perms/feat-perms.html http://dev.w3.org/2009/dap/docs/feat-perms/feat-perms.html#capability Some challenges include: * how to justify the request to the user being asked to grant the privileges starting with a text string and a link to more information * white and black lists for well behaved and evil applications - which leads on to the role of trust delegation for improved usability and whether crowd based recommendations are practical We should think how to work together with Mozilla, Google and others on a joint proposal as this is likely to have greater chance of widespread adoption than doing something in isolation. On 29/04/11 13:00, Simon Heckmann wrote: Hello again, As requested I updated the proposal to contain screenshots from English browser versions now. You can always find the latest version on http://www.simonheckmann.de/download/Proposal.pdf. Additionally, I created an HTML version of the file which might come in handy for some readers: http://www.simonheckmann.de/proposal/. Kind regards, Simon Heckmann Am 29.04.2011 um 11:03 schrieb Simon Heckmann: Fixed! Am 29.04.2011 um 10:52 schrieb Benjamin Hawkes-Lewis: On Fri, Apr 29, 2011 at 9:39 AM, Simon Heckmannsi...@simonheckmann.de wrote: I have written a short document covering my proposal: www.simonheckmann.de/download/Proposal.pdf (3 pages, ~200KB) I can't open this PDF in Preview. -- Benjamin Hawkes-Lewis Sorry for the inconveniences! I tried it in Acrobat and it worked flawlessly. I uploaded it again and it now displays in Preview as well. I hope this fixes it for you, too! Kind regards, Simon Heckmann -- Dave Raggettd...@w3.org http://www.w3.org/People/Raggett
Re: [whatwg] Proposal for a web application descriptor
Am 29.04.2011 um 16:47 schrieb Dave Raggett: You may also want to look at the ideas being floated by Mozilla and others for installed web apps to request extra privileges. This is expected to lead to a new W3C Working Group within a few months from now, and I am hoping to see progress on being able to run the browser in a locked down mode that is more secure than is the default for web pages today (e.g. no eval, constrained innerHTML), and to then make a single request for a list of privileges: http://dougt.org/wordpress/2011/03/device-api-permission-management/ http://groups.google.com/group/mozilla-labs/browse_thread/thread/e592b27e54b7f857 http://dev.w3.org/2009/dap/docs/feat-perms/feat-perms.html http://dev.w3.org/2009/dap/docs/feat-perms/feat-perms.html#capability Thank you! I read through these articles and I like what they are proposing. I also think it is a good idea to tackle this with a joint proposal. While some of the suggestions made in the documents relate to querying the permission through javascript I still see room for my idea to ask for permissions on start-up. I am not yet sure if this all only holds true for super-applications, as even normal websites would want to access my camera or address book and therefore need permission. Anyway, I am looking forward to giving input to a larger scope proposal. Some challenges include: * how to justify the request to the user being asked to grant the privileges starting with a text string and a link to more information Well, this is what I thought of: The users visit a website they have never visited before. A notifications pops up allowing them to set all permissions required for this page. The users might not trust the site yet so they do not grant all permissions immediately. As the users continue to use the page, the web site could check the status of the permission using javascript and remind the user to rethink his permission settings: This site would like to access your camera to scan for a barcode. If you want to use this feature, please use the global permissions dialog to set them. * white and black lists for well behaved and evil applications - which leads on to the role of trust delegation for improved usability and whether crowd based recommendations are practical I agree! But in the end this is similar to desktop applications. It pretty much depends on the users which applications they run and which they do not trust. I think this is where web app stores might come into play. A central place where user can share their experience. We should think how to work together with Mozilla, Google and others on a joint proposal as this is likely to have greater chance of widespread adoption than doing something in isolation. Great idea! Is there another mailing list where this should be posted on? On 29/04/11 13:00, Simon Heckmann wrote: Hello again, As requested I updated the proposal to contain screenshots from English browser versions now. You can always find the latest version on http://www.simonheckmann.de/download/Proposal.pdf. Additionally, I created an HTML version of the file which might come in handy for some readers: http://www.simonheckmann.de/proposal/. Kind regards, Simon Heckmann Am 29.04.2011 um 11:03 schrieb Simon Heckmann: Fixed! Am 29.04.2011 um 10:52 schrieb Benjamin Hawkes-Lewis: On Fri, Apr 29, 2011 at 9:39 AM, Simon Heckmannsi...@simonheckmann.de wrote: I have written a short document covering my proposal: www.simonheckmann.de/download/Proposal.pdf (3 pages, ~200KB) I can't open this PDF in Preview. -- Benjamin Hawkes-Lewis Sorry for the inconveniences! I tried it in Acrobat and it worked flawlessly. I uploaded it again and it now displays in Preview as well. I hope this fixes it for you, too! Kind regards, Simon Heckmann -- Dave Raggettd...@w3.org http://www.w3.org/People/Raggett
Re: [whatwg] Proposal for a web application descriptor
On Fri, Apr 29, 2011 at 6:40 PM, Simon Heckmann si...@simonheckmann.dewrote: Some challenges include: * how to justify the request to the user being asked to grant the privileges starting with a text string and a link to more information Well, this is what I thought of: The users visit a website they have never visited before. A notifications pops up allowing them to set all permissions required for this page. The users might not trust the site yet so they do not grant all permissions immediately. There's a more common issue: when you ask me for a bunch of permissions at once, I don't know why you want them. This happens constantly with Android apps: you install a simple notepad or clock app, and it'll ask for Internet access and the ability to make phone calls, and you don't know why. This is why--in general--I like the model so far: the user is asked for permission in response to actually doing something that uses a feature. In the notepad app, you're asked for permission to access the internet when you select sync notes to your desktop PC; it's immediately obvious why it's asking for it. (That's an Android example, of course, not a web app example.) Hopefully the ultimate solution will deal with both, allowing UAs the option of asking all at once or on-demand, depending on the situation. (Some permissions inherently have to be asked in advance, like Web Notifications, which doesn't happen in response to a user action.) -- Glenn Maynard
