On Jun 30, 2012, at 1:52 AM, Sid Stamm wrote:
> Hi All,
> I updated the security model wiki page to reflect the things we talked
> about in the late-May thread. The changes were pretty minor since, as a
> few people pointed out, the underpinnings of the privacy updates were
> already considered in the model! Here's a diff:
>
> https://wiki.mozilla.org/index.php?title=Apps/Security&diff=446856&oldid=441197
>
> There are still a few open issues that I think we can easily iron out.
>
> 1. For untrusted apps, should we show data usage intentions (rationale)
> as permissions are requested? These strings are not reviewed by an app
> store, but as Adrienne pointed out, the value may outweigh the risk of
> deception.
I think our permission UI should be trustworthy, which means the user should be
able to rely upon the information it presents. This falls far short of that.
> 2. Format of the field in the manifest. I propose the field name be
> "Intended Use", and the value be 128 characters (to keep it easy to
> read). Sound good?
Sounds good.
> 3. How will users be able to access usage intentions for permissions
> that are implicit or for certified apps? Currently they can read the
> manifest, but will we build an easier way for them to find 'em at runtime?
We don't intend to exposure implicit permissions to users. Then again,
implicit permissions (except for certified apps) should not be privacy
impacting things that the user would likely have any understanding of anyway.
Our criteria for explicit permissions is basically: things that could put the
user's privacy at risk. Modulo low-risk data leakage and persistence (i.e.
apps can store more data and for longer than webpages).
> 4. In the developer documentation, should we provide a suggested
> formula for the usage intentions? (e.g., "We want {permission} to
> obtain {data type} which we will keep {how long and where kept}") or
> should we provide some pre-written examples for each permission? This
> may be too difficult to get right, but should we try?
Such a template seems like a good idea but it would have to be validated with a
pretty broad set of use cases. It would help with localization too, though.
> Finally, there's one technical follow-up for the manifest. Does the
> below proposal sound like a reasonable approach? I like it.
>
> 5. How can these strings be localized into the app runtime's chosen
> locale? ianb suggested:
> {
> name: "Stachy (beta)",
> permissions: {
> "camera": {usage: "To spy on you while you are sleeping"}
> },
> locales: {
> "es": {
> permissions: {
> "camera": {usage: "Para espiar a usted mientras usted está
> durmiendo"}
> }
> }
> },
> default_locale: "en-US"
> }
Paul brought this up too but it does seem like it would be prone to cut&paste
mistakes (resulting in different permissions sets for different locales).
Maybe having a single permission list with per-locale usages would work.
Lucas.
_______________________________________________
dev-webapps mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-webapps
