I feel very strongly that we should initially attempt to design a system
where there are no install-time permission prompts, and more generally,
no prompts for which "remember this decision" is a desirable option.
As Adrienne has been pointing out, permissions dialogs in general do not
work. They ask a non-expert user to make a security-critical choice,
based on inadequate information, at a point in the workflow where most
users will actively *avoid* stopping to think. (I don't have studies to
hand, but I'm sure Adrienne does.) From the UX perspective *and* the
security perspective, anything we can do to get away from them is worth
doing. And we have a known better alternative: implicit, one-time-only
deduction of permission from intentional user actions, such as pressing
a "take photo" button.
I'm frustrated by the Camera API discussion because there seem to be a
bunch of people who don't even want to *try* to do something better.
Sure, there exist applications for which it's not obvious how to fit
them into an only-if-the-user-pressed-the-button-just-now paradigm, but
that doesn't mean we should give up! (I'm pretty sure we can fit all
camera use cases into a combination of "you can draw over the preview
but you can't see the results" and "video recording mode".)
Let's treat permissions dialogs as an option of last resort. Let's only
do them if we really can't find any other way for a particular privilege.
zw
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
