Fwd: [cap-talk] Web browser Powerbox implementation

16 views
Skip to first unread message

Mark S. Miller

unread,
Dec 14, 2010, 7:36:39 PM12/14/10
to Belay
The features comparison page <http://web-send.org/features.html> is especially interesting.


---------- Forwarded message ----------
From: Tyler Close <tyler...@gmail.com>
Date: Tue, Dec 14, 2010 at 9:59 AM
Subject: [cap-talk] Web browser Powerbox implementation
To: "General discussions concerning capability systems." <cap-...@mail.eros-os.org>


I've been working on adding a Powerbox to the Web browser that enables
a visited page to request use of permissions you've been given by
other web pages. Unlike past Powerboxes, like in CapDesk, I've been
aiming for an ultra-lightweight UX. Instead of a popup window, like a
file dialog, the rights amplification happens with a single click on a
drop-down menu in the page that is requesting access. I think this
lightweight UX makes it feasible to use the Powerbox for even the
tiniest delegation, thus making it pleasant for a user to do fine
grained permission management.

This new Powerbox for the browser is called the "Web Introducer". I've
built a prototype implementation using only HTML5 and JavaScript, so
it runs in the current generation of browsers, without any
extensions/plugins. I'm also working on a native implementation for
Chrome. You can read more about it, and try it out, at:

http://web-send.org/

Any feedback on the new API or UX is much appreciated.

--Tyler

--
"Waterken News: Capability security on the Web"
http://waterken.sourceforge.net/recent.html
_______________________________________________
cap-talk mailing list
cap-...@mail.eros-os.org
http://www.eros-os.org/mailman/listinfo/cap-talk



--
    Cheers,
    --MarkM

stay

unread,
Dec 14, 2010, 7:50:39 PM12/14/10
to belay-r...@googlegroups.com
The dropdown box in the bar on
http://provider1.web-send.org/
gives the options
Example Share
I'm not sure
and only works if I pick Example Share. But I'd have said the site
name was web-send.org. Also, the links to web-send.org/spec are
broken.

--
Mike Stay
st...@google.com

Tyler Close

unread,
Dec 15, 2010, 6:37:49 PM12/15/10
to belay-r...@googlegroups.com
I've fixed the broken links.

Would it make the example better if I renamed the
"provider1.web-send.org" domain to "example.web-send.org"?

A real registrant would be something like "Google" from "google.com".
But the example.org domain is already taken. ;)

--Tyler

stay

unread,
Dec 15, 2010, 8:06:07 PM12/15/10
to belay-r...@googlegroups.com
On Wed, Dec 15, 2010 at 3:37 PM, Tyler Close <tjc...@google.com> wrote:
> I've fixed the broken links.
>
> Would it make the example better if I renamed the
> "provider1.web-send.org" domain to "example.web-send.org"?
>
> A real registrant would be something like "Google" from "google.com".
> But the example.org domain is already taken. ;)

The whole interaction on that page was confusing to me. It says
> The UX for approving a registration is controlled by the user agent.
Is the bar supposed to be browser chrome or HTML/JS/CSS? What test am
I supposed to be applying to the page to tell if the registration
request is valid?

I think the bar should say something like
The site [provider1.web-send.org] would like you to put them on
the [sharing] provider list.
And then the drop-down box can say
- Please select one of the following:
- Yes, put provider1.web-send.org in the list of sharing providers.
- No, close this window.
If they select Yes, then go to the list of registered providers and
highlight the newly added one.

When I registered a new provider, I didn't expect all the other things
in the list to disappear; that was also confusing. The "edit options"
option should probably be "manage providers", since there aren't any
options other than a provider list.
--
Mike Stay
st...@google.com

Tyler Close

unread,
Dec 16, 2010, 11:51:14 AM12/16/10
to belay-r...@googlegroups.com
On Wed, Dec 15, 2010 at 5:06 PM, stay <st...@google.com> wrote:
> On Wed, Dec 15, 2010 at 3:37 PM, Tyler Close <tjc...@google.com> wrote:
>> I've fixed the broken links.
>>
>> Would it make the example better if I renamed the
>> "provider1.web-send.org" domain to "example.web-send.org"?
>>
>> A real registrant would be something like "Google" from "google.com".
>> But the example.org domain is already taken. ;)
>
> The whole interaction on that page was confusing to me.

I suspect one of the problems here is that you know to much. The
typical user won't know or care what a "provider" is.

>  It says
>> The UX for approving a registration is controlled by the user agent.
> Is the bar supposed to be browser chrome or HTML/JS/CSS?

Yes.

Browser chrome is often implemented with HTML/JS/CSS and as a user,
you can't tell the difference.

>  What test am
> I supposed to be applying to the page to tell if the registration
> request is valid?

Just answer the question asked: Does the presented name match your
expected name for the site? That's the most crucial thing for the user
to consider at this stage; nothing else matters. Any ideas on how to
better focus the user on that question?

> I think the bar should say something like
>    The site [provider1.web-send.org] would like you to put them on
> the [sharing] provider list.
> And then the drop-down box can say
> - Please select one of the following:
>   - Yes, put provider1.web-send.org in the list of sharing providers.
>   - No, close this window.
> If they select Yes, then go to the list of registered providers and
> highlight the newly added one.

But then you have to explain what a sharing provider list is and what
it means and all this extra information might distract the user from
the important question: "What's the name of this site?".

> When I registered a new provider, I didn't expect all the other things
> in the list to disappear; that was also confusing.

Interesting. Those other options were the default options presented
when we don't know the user's actual preference. The defaults are
suppressed once we know which sharing provider the user actually uses.
The reduction in clutter is supposed to be an advantage. The NASCAR
problem is generally thought to be a problem rather than a feature.
You seem to be saying you found it useful to have the NASCAR of
possible options. Is that so?

>  The "edit options"
> option should probably be "manage providers", since there aren't any
> options other than a provider list.

I want to avoid asking the user to learn any new lingo. "edit
options..." seemed like a straightforward way of saying you can change
what's displayed in this menu.

--Tyler

stay

unread,
Dec 16, 2010, 2:45:26 PM12/16/10
to belay-r...@googlegroups.com
On Thu, Dec 16, 2010 at 8:51 AM, Tyler Close <tjc...@google.com> wrote:
> On Wed, Dec 15, 2010 at 5:06 PM, stay <st...@google.com> wrote:
>>  What test am
>> I supposed to be applying to the page to tell if the registration
>> request is valid?
>
> Just answer the question asked: Does the presented name match your
> expected name for the site? That's the most crucial thing for the user
> to consider at this stage; nothing else matters. Any ideas on how to
> better focus the user on that question?

I guess I was confused about why I was being asked the question and
what the implications of either choice were. The name "Example Share"
didn't match "provider1.web-send.org" in any way I could see. It was
obviously the only choice that would have any effect on the world, but
I didn't know what the effect would be. As it turns out, the effect
was changing the options in the provider list, so I think that should
be mentioned somewhere.

How about "The web site [domain] claims to be [provided name]. It
might be lying or it might be legitimate. Do you believe it? If you
do, this site will be added to your list. If you don't, nothing will
happen."

>> When I registered a new provider, I didn't expect all the other things
>> in the list to disappear; that was also confusing.
>
> Interesting. Those other options were the default options presented
> when we don't know the user's actual preference. The defaults are
> suppressed once we know which sharing provider the user actually uses.
> The reduction in clutter is supposed to be an advantage. The NASCAR
> problem is generally thought to be a problem rather than a feature.
> You seem to be saying you found it useful to have the NASCAR of
> possible options. Is that so?

Sure--I use facebook and google and digg. Why do I have to add them
again if they're already there? If you're going to provide defaults,
have them in the list of providers and then let the user remove them.
--
Mike Stay
st...@google.com

Reply all
Reply to author
Forward
0 new messages