I'm not sure an app can effectively bully the user. If the user selects "permanently deny", the dialog won't ever come up again (obviously, the user can change their mind by going to the Permissions Manager App). So, a chess program that wants to use geolocation would try to use the API. The dialog would come up. The user can either allow or deny and either once or always. If once is selected, the next time the API is used the dialog will come up again. If always is selected, the dialog never comes up again. The app can't change the choices and the app can't display it's own dialog (well, depending on what our dialog looks like, I guess it could display a dialog, but it would do it no good as it won't have permission to modify permissions). All the user has to do is select the always option and that's that. An app COULD complain to the user if they are denied access and try to get them to go to the Permissions Manager app, but I suspect any app that was so abusive wo uld be deleted very quickly. -Jim Straus
On Mar 15, 2012, at 5:53 PM, lkcl luke wrote: > On Thu, Mar 15, 2012 at 9:31 PM, Justin Lebar <[email protected]> wrote: >>> There is still an open question on how a permissions manager should >>> respond in the event of a DENIED permission. One suggestion is to not >>> error out but return some default/safe value e.g. no contacts if an >>> app is not granted Contacts information. A concern of this proposal >>> is that an app may continue to poll for a permission until it is >>> granted or an app may pop up a dialog to have the user grant the >>> permission. >> >> I don't understand this. Can you give a concrete example of what the >> problem is here, for example with the current geolocation API? > > i believe david is referring to an app carrying out psychological > bullying / blackmail attacks on its users, by repeatedly demanding > permission for access, would that be a correct assessment, david? > > l. _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
