Is Trusted Immersive UI a conformance requirement?

[NellWaliczek]

[Disclaimer: This issue is one of several being filed to capture discussions that began either on #638, on #689, or at the most recent F2F]

This issue is NOT to discuss the requirements for what Trusted Immersive UI should look or behave like. That conversation is happening in #718

Instead, this issue tracks the question of whether a Trusted Immersive UI is a requirement for a UA to be considered conformant with WebXR.

(Note: this is also related to issue #702 which discusses figuring out what to do with non-XR feature permissions which developers may request during an immersive session)

[joshmarinacci]

The answer can only be yes: a trusted UI is a requirement. If a UA is not able to provide a trusted UI while in immersive mode then it must either ask for consent at the time the page requests immersive mode, or it should exit immersive mode when asking for consent. Essentially using non-immersive mode as the trusted UI.

[NellWaliczek]

That's a pretty strong stance, Josh.

I think there's agreement that user consent should not be requested mid-session if trusted UI doesn't exist. But I don't think there's yet agreement that a User Agent is required to provide Trusted Immersive UI. If it didn't, the UA might alternatively choose to simply automatically reject the mid-session request. Which really, wouldn't be any different from a developer perspective since the feature being protected may not be available on all hardware anyway.

[ddorwin]

If it didn't [provide Trusted Immersive UI], the UA might alternatively choose to simply automatically reject the mid-session request. Which really, wouldn't be any different from a developer perspective since the feature being protected may not be available on all hardware anyway.

While the application would technically behave as if the user had denied consent, the developer probably doesn't expect that all users on a given user agent will be unable to use that part of their application. See the first paragraph of #720 (comment) for more discussion.

[NellWaliczek]

Can you elaborate a bit, @ddorwin? I'm not quite following what you mean or how that's related to the comment in #720?

[avadacatavra]

I think that we can say something along the lines of:

For any mid-session prompts, UAs should either

• use a trusted immersive UI to present the prompt to the user, where the trusted UI fulfills the requirements in What is Trusted Immersive UI? #718 OR
• pause/suspend immersive mode in order to handle the prompt, then when it's resolved, reenter immersive mode

This will allow UAs to implement (or not) trusted UIs as they prefer

[Manishearth]

Based on discussions at TPAC (mostly captured in @avadacatavra's comment), we should spec that "trusted UI" is a requirement (but not necessarily "trusted immersive UI") where trusted UI is either trusted immersive UI or "pause immersive mode and handle a prompt"

[Manishearth]

will be fixed by #875