Intent to Prototype: Selective Permissions Intervention

[Josh Karlin]

Contact emails

jka...@google.com

Explainer

https://github.com/explainers-by-googlers/selective-permissions-intervention

Specification

None

Summary

A web platform intervention designed to better align API permissions with user intent by preventing ad scripts from accessing certain privacy-sensitive APIs.

Blink component

Blink>PermissionsAPI

Motivation

When a user grants a website permission to access a powerful API like their precise geolocation, microphone, camera, screen, or clipboard contents, their consent is intended for the site, not necessarily to every third-party script running on the page. In particular, embedded ad scripts can currently leverage the page's permission to opportunistically access this sensitive data. The user may not be aware that an advertisement is accessing their information. This intervention aims to better align a granted permission with user intent by preventing ad script in a context with API permission from using it, reinforcing user trust and control over their data.

Initial public proposal

https://github.com/explainers-by-googlers/selective-permissions-intervention

TAG review

None

TAG review status

Pending

Risks

Interoperability and Compatibility

None

Gecko: No signal

WebKit: No signal

Web developers: No signals

Other signals:

WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?

None

Debuggability

None

Is this feature fully tested by web-platform-tests?

No

Flag name on about://flags

None

Finch feature name

None

Non-finch justification

None

Requires code in //chrome?

False

Estimated milestones

No milestones specified

Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/4811835974615040?gate=5415705121652736

This intent message was generated by Chrome Platform Status.

[Rick Byers]

Thanks for sharing Josh!

While the only real security boundary on the page can be the frame boundary, I'm personally a fan of this work to provide some defense-in-depth and help reinforce that powerful permissions are for use or delegation by the 1P shown in the address bar, not 3P scripts which aren't specifically coordinating with the 1P for that powerful access under the 1P's reputation. Of course the devil will be in the details in ensuring we avoid hurting legitimate use-cases, but I know you are a world expert in doing this responsibly so I'm confident and looking forward to the public discussion of the data here at I2S time!

Cheers,

   Rick 

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAANMuaPvKk3qSGk%2BH1ExKZEB4nSfg69x_yLDaT_73GOqUa4NWQ%40mail.gmail.com.