On 02/05/2011, at 10:47 AM, Henri Sivonen wrote: > On Sat, 2011-04-30 at 09:52 -0400, Glenn Maynard wrote: >>> Asking for specific permissions in the context of a user action is >>> the >>> only model that makes sense to me. When applications ask for a big >>> bundle of >>> permissions in advance, how can I as a user know what to do? I'm >>> sure to get >>> into a habit of either blindly denying the permissions (crippling >>> applications), or granting the permissions (terrible for security). > > There's also the problem that legitimate permission requests that lack > context make people who understand the implications needlessly cautious. > For example, some of my friends were suspicious of Firefox for Android > wanting access to geolocation. The request for the permission wasn't in > the context of an explanation of how Firefox uses that system API to > implement the Web geolocation API and has its own authorization UI layer > on top of it. > > (I think asking for a specific permission in the context of a user > interaction is better than asking for a bunch of stuff up front.) > > -- > Henri Sivonen > hsivo...@iki.fi > http://hsivonen.iki.fi/ >
I would agree a command-level authorization is a better default, if only because it is necessary to have this level of granularity available. The quantity of permission requests can be managed in an effective manner by the agent allowing the user to store their preferences for the next command or as a universal setting. This is similar to what firefox does for launching unknown file types, session restore, or lots of other functions, although it would be in the context of a web application itself. The case for an application-level permissions descriptor would seem to make more sense for desktop-style applications or browser plugins - in these scenarios the application may require permissions to be granted up front due to the potential background operation of the applications. On the web, applications are virtually by definition limited to operating only from direct user action and should not require such up front permission. For web applications to specify their required permissions would seem to introduce a duplication of specification. If a web application includes an image file upload which the user chooses to capture from webcam, first how is the application to know that the user would use a web cam? and second what additional information is being specified in the permissions descriptor which wasn't already deductible from the inclusion of a file upload? This would additionally impose the scenario where applications include the use of some restricted system resource but fail to document the use in their descriptor, not an insurmountable problem but it draws any usefulness into question. It would seem that a problem is not how to request the granting of permissions but how to store the user's preference within the context of an arbitrary web application, ie what is the boundary of delineation? Domain, Site or Page? There are a number of resources which are thought of having an 'application' scope which may make sense to be collated into a single manifest and with the ability for an agent to manage it as such. Thanks, Cameron Jones
