Intent to Implement: Permissions.request() and Permissions.revoke()

[Mounir Lamouri]

= Contact emails =
mlam...@chromium.org, lal...@google.com

= Spec =
https://w3c.github.io/permissions/

= Summary/Motivation =
Provide a method for websites to request a permission directly. This is
something that is already doable for most APIs using some ways around
the lack of proper call. It can also be used to improve UI by requesting
multiple permissions at once. It would allow browsers to merge
permission requests without requiring wild guesses and heuristics.
The revoking bit is for completeness: it allows a website to revoke a
permission which can be used for example when a user disable some
options (eg. "Location sharing" option in a social website).

= Compatibility Risk =
Firefox: No public signals
Internet Explorer: No public signals
Safari: No public signals
Web developers: Positive

Mozilla did not give any public signal yet but I did work with Anne van
K. (Mozilla) on some Permissions API changes including the addition of
these methods.

= Ongoing technical constraints =
None.

= Will this feature be supported on all six Blink platforms? =
Yes. Though, WebView needs some API change of its own to fully support
the Permissions API.

= OWP launch tracking bug =
https://crbug.com/510405

= Link to entry on the Chromium Dashboard =
https://www.chromestatus.com/features/5707368532803584

= Requesting approval to ship? =
No.

-- Mounir

[Anne van Kesteren]

On Wed, Jul 15, 2015 at 1:40 PM, Mounir Lamouri <mou...@lamouri.fr> wrote:
> Mozilla did not give any public signal yet but I did work with Anne van
> K. (Mozilla) on some Permissions API changes including the addition of
> these methods.

I think I was fairly clear that the current object-based approach
seems overkill given that implementations just use strings. In
addition, I pointed out that what you have now is not valid IDL.

Also, you should probably point out that while there is a
specification, request() just says "TODO".


--
https://annevankesteren.nl/

[Philip Jägenstedt]

On Wed, Jul 15, 2015 at 1:44 PM, Anne van Kesteren <ann...@annevk.nl> wrote:
> On Wed, Jul 15, 2015 at 1:40 PM, Mounir Lamouri <mou...@lamouri.fr> wrote:
>> Mozilla did not give any public signal yet but I did work with Anne van
>> K. (Mozilla) on some Permissions API changes including the addition of
>> these methods.
>
> I think I was fairly clear that the current object-based approach
> seems overkill given that implementations just use strings. In
> addition, I pointed out that what you have now is not valid IDL.

Do you mean that instead of request({name: "push"}) you'd like just
request("push")?

I suppose that the invalid bit is having a sequence of dictionaries,
as you couldn't distinguish between what is a single dictionary and
what is a sequence of them, as both are objects?

Philip

[Mounir Lamouri]

On Wed, 15 Jul 2015, at 12:44, Anne van Kesteren wrote:
> On Wed, Jul 15, 2015 at 1:40 PM, Mounir Lamouri <mou...@lamouri.fr>
> wrote:
> > Mozilla did not give any public signal yet but I did work with Anne van
> > K. (Mozilla) on some Permissions API changes including the addition of
> > these methods.
>
> I think I was fairly clear that the current object-based approach
> seems overkill given that implementations just use strings.

I think this is orthogonal to request() and revoke(). We have not solved
this problem yet and whatever the resolution is, it will have to apply
to all methods. The specification needs to stay consistent.

> In
> addition, I pointed out that what you have now is not valid IDL.

This will have to be fixed. As you pointed below, the spec for request()
isn't fully fleshed out. The UC is that we want to be able to request 1
or more permissions at a time. If the current IDL doesn't allow that,
something else will need to be done.

> Also, you should probably point out that while there is a
> specification, request() just says "TODO".

Yes. This is an intent to implement. This will definitely be fixed for
the intent to ship.

-- Mounir

[Alex Russell]

Anne: you keep saying "overkill", but even a simple API like geolocation shows this isn't "overkill" at all. Can you back up your assertion?

Mounir: very excited to see this moving forward. Hoping others LGTM with all deliberate speed = )

On Wed, Jul 15, 2015 at 1:44 PM, Anne van Kesteren <ann...@annevk.nl> wrote:

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.

[Anne van Kesteren]

On Wed, Jul 15, 2015 at 4:43 PM, Alex Russell <sligh...@google.com> wrote:
> Anne: you keep saying "overkill", but even a simple API like geolocation
> shows this isn't "overkill" at all. Can you back up your assertion?

I don't see how geolocation shows this. My assertion is based on the
code in each browser that clearly shows permissions are simple strings
(as I already said).


--
https://annevankesteren.nl/

[Philip Jägenstedt]

No LGTM necessary to implement, but nonetheless this seems like
goodness and I hope the syntax bits can be sorted out in parallel.

(Just using strings until something more is needed seems reasonable to
me, at least.)