-
Notifications
You must be signed in to change notification settings - Fork 50
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Preventing blackmail #171
Comments
If you're happy with the new Android model, where users can decline particular permissions but still use the rest of an application, you should also be happy with the web model including |
in fact any structure of the API allowing easy determination if the permission is granted does |
@jyasskin This may not be in mainstream Android but at least some ROMs allow pretending that the data is available but returning for example an empty list of contacts. Shouldn't the API not only "not encourage" blackmail but make it more difficult? @KOLANICH |
@gutsle, there some emploees of the company taking the major share of browser market in W3C. That company somewhen have proposed to allow webapps to use sensors without permissions, which has been implemented in their OS for ages. The company seems to be interested somehow in allowing web apps spying on users. Maybe because it has own analytics and advertising services. But the good point that it cannot block the faking implementation by just refusing to accept the spec into the standard. I guess we need to make Mozilla to implement faking without taking in account the fact that this is not is in the standard. |
@KOLANICH the accusations in the message above go beyond the scope of appropriate discussion for W3C forums. Please do not do so again. This issue is closed. |
Nothing in the spec prevents a user agent (for example, the Tor Browser) from lying with the data returned if the permission is granted. |
Anyway I insist on standardizing the faking feature for encouraging browsers vendor to implement it, discouraging *mailing and encouraging users to recognize it as a part any browser must have. |
Android permissions have evolved to allow a user allowing and denying specific requests made by an application. An application could just ask the user for location data, even though it was irrelevant for the functioning of the application. The application has to be able to deal with requests failing. This is useful because before the changes it was possible for an application to essentially blackmail a user into accepting permissions and refusing installation otherwise.
This problem is even worse on the web where absolutely no trust relationship to opened sites exist.
The question I am positing is: Does this proposal create similar problems?
The text was updated successfully, but these errors were encountered: