Consider removing Permissions.revoke(). #46
Comments
|
We discussed the addition of these methods in a webapp sec meeting and it was well received. I forgot to update the header of the document. Will do. |
|
For the record, I think that request is a terrible idea. Revoke just doesn't make sense (see https://w3c.github.io/webappsec/specs/clear-site-data/) |
|
What should I be looking at in that spec? |
|
It clears state for a site, which (presumably) includes permissions. |
|
@martinthomson are you saying revoke doesn't make sense in this API because the functionality might be accomplished through an addition to Clear Site Data instead? Or that it's intentionally not present in Clear Site Data because revocation doesn't make sense in general? |
|
@ndoty, it simply doesn't have a motivation that I understand. Why would an origin choose to invoke it? What value does a user obtain by providing an origin with this capability? Where is the quid pro quo? |
|
@martinthomson I think you meant to tag @npdoty. |
|
@martinthomson Origins might choose to revoke persisted permissions for reasons similar to why they might want to clear site data in general. For example, if a user logs out and a different user logs in, the site might want the new user to have the same controls and user experience as if permission had never been granted on that origin. Or a site might try to reduce the security risk on their site (either because they know they've suffered an attack, or because the permissioned functionality is no longer necessary and so the site generally wants to reduce surface) by explicitly revoking a permission that was previously requested and may have been persisted. The user benefits from the site knowing when it makes sense, based on that application's logic, to revoke a permission. In the log-out scenario, the browser doesn't know that the user has changed. I could see some users who want to override the behavior and I don't think the spec needs to (or could!) prevent that; as always, users can configure their agents how they wish. |
|
The problem with revocation is that those reasons aren't particularly convincing, and it then results in more permissions requests from the site. That's either mildly annoying ("didn't I just say yes"), or hazardous (training users to click through without consideration). Also, I disagree that sites want to do this. We see sites actually being unwilling to ask for permission, simply because a user might deny the request and that denial might then be permanent. The new user argument is a bad one. That's why browsers have profiles. We're not great in that regard, but we're working on it. As far as attack surface goes, that is what we have CSP for. If the site doesn't want a permission, and we think that's a valid thing to want, then a CSP directive is the right place for that. |
|
@martinthomson Could you open a separate issue for removing @raymeskhoury do you have any opinions on removing I think I'm favorably inclined toward removing it (at least for initial implementations of the spec), but even if we do that I think the spec should discuss the UA's right to revoke any permission (or any piece of a permission) at any time based on user signals. For example, the Web Bluetooth spec says:
We could just ask each permission'ed spec to separately include text like that, but I'd rather try to say it once. |
|
I think I agree - I don't see particularly compelling uses of revoke(). |
|
Both Chrome and Firefox have an implementation of |
|
They're not shipped, so we don't need it in the spec just to reflect implementation practice. We generally try not to ship non-useful APIs, so if everyone agrees it's not useful, we should definitely remove it. I'm not sure everyone does agree: what venue's been discussing this API, from which we could pull more opinions? |
|
@martinthomson I agree with you in #46 (comment) that Fyi the note in the introduction in your first comment here has since been removed in #79 for "consistency reasons"... |
Are you concerned about
Every account-based web site I've used has a logout model, so that I can log out of my account and someone else can log in, without invoking a browser feature. (Personally, I don't know offhand how to change the browser profile on any of my desktop browsers, much less my mobile phone browsers. I use private browsing modes to approximate this functionality.) I would be honestly very curious to know if there are sites that don't have a logout flow because they expect users to manage cookies or browser profiles instead. Perhaps this will be the future model one day, but right now it seems like a very large fraction of sites want to be able to control the user experience so that one user can log out and another log in.
I'd be curious to know more about how this option would work. But the persisted permissions risk cases are specifically ones where the site does want the capability to request a permission sometimes (because they're using the camera briefly to take an avatar image of the user, say) but not all the time. It seems like making the site's CSP dynamic to all those situations wouldn't be the preferred way for the site to handle these use cases, but I'm not sure. |
|
@jyasskin I know it's been discussed in the Media Capture Task Force; revoking/delete permissions has been discussed there for |
|
@npdoty on Media Capture and Streams, lets not take some spec editors' desire to outsource terminology and internal browser algorithms, for whatever reason - something they are doing without any list discussion mind you on an API that's supposed to be 1.0 done - and confuse that with normative references to web-facing APIs of which there are none. |
|
@npdoty ah sorry, makes sense now. |
I think that if it is used at all, even on the same sort of schedule as a log out (to go to your analogy) then we get into user training territory.
This is an interesting analogy, but not one that holds up. I would consider this less of a temporary break in the way that logout is temporary, but more like giving a site your mailing address, then asking them to forget it and scrub their database of the info. Sure, you can type the address into a form again every time you log in, but why would a site give that information up?
The model is very simple. CSP allows a site to voluntarily relinquish certain capabilities. Usually, this is used to protect the server by also protecting the integrity of the page ("only load this JS", or "only load JS from here"). And yes, this can be (and often is) entirely dynamic. |
I'm not sure why you prefer the analogy of deleting information that's already been sent to the server; that could be an interesting feature, but it's not what I don't just mean logging out as an analogy but as a use case. Logging out isn't just temporary, it may also indicate a situation where a different user is using the same user agent and the site may want to provide the same first-time user experience to the new user. When one of my family members logs into a mapping application using my computer and browser, they're going to be surprised if the application can access their location without being prompted by the browser. A site could fix that surprising situation by indicating to the browser when a new user logs in that any previously persisted permissions should be revoked. |
|
Since Firefox has shipped |
|
Um, I wouldn't assume there is coordination between spec folks and folks implementing, unfortunately... sometimes, features get added by community members without any coordination with platform teams. |
|
(e.g., no idea why Permissions API shipped to Firefox without being behind a pref... that should probably not have happened given how early on we are in the design of this API) |
|
For the record, I still think giving sites the ability to mess with user settings like this is a terrible idea. It's taking power away from the user, if ever so marginally, and I suspect |
I agree. This seems bad.
I respectfully disagree. Requesting access is less privileged than calling any of the powerful feature APIs (because it does not have the side-effect of spinning up geo, or the camera, etc). So, if anything, calling straight up geolocation.getCurrentPosition() or getUserMedia() seems like a much larger intrusion than .request(). But I might be missing something? |
|
We need the folks speaking on behalf of Mozilla to be able to affect the code Mozilla ships. Let's discuss |
FWIW, that's the team @annevk and I are on (DOM Team). We can get whatever fixed, but we need to have a shared understanding before we can go requesting code fixes. It feels to me that we should probably put Permissions API behind a pref. in Gecko for now. |
|
@marcoscaceres That sounds like a good idea until we figure this out. @martinthomson WDYT? |
|
I am not a fan of implementing anything other than query so some sort of guard on the api certainly seems like a reasonable idea to me. A pref or even google's experimental feature api. Neither implies a commitment to maintain the functionality in perpetuity. |
|
@jyasskin Can we reopen this then please? |
|
I'm not convinced by the arguments put forward so far either. Clear Site Data serves a clear need and does not in fact remove any stored permissions. It's a way to help sites that have been locally compromised to regain control over that local copy. The "logging out" scenario only makes sense if "logging in" would enable the permission again. I.e., if the user agent managed authentication. Even if we ever reach that point, it would be the user agent managing it, not the site, and thus also not necessitate |
|
@annevk per conversation with @martinthomson above: it's true that added user convenience could be possible if browser profiles or some other UA feature were widely used to handle authentication. However, that doesn't happen often today. In the meantime, sites can use logic specific to their situation to indicate to a user agent that a permission shouldn't be persisted; for example, if they know that the current user is new to the site and its functionality. Clear Site Data isn't just for the use case of recovering from an attack. For example, see: Section 1.1.1 Signing Out. |
|
Having sites mess with what traditionally is understood to be user settings, undermines a user's trust in their agent. Poor site behavior can affect the user experience in a way that users will attribute to the agent, more so than e.g. broken js. Basically, a user may say "Why does Firefox keep bugging me about permission for this site when I've told it not to?" |
|
For "Super Secret Social Network" use private browsing. |
|
Yeah, that seems like a bad example / use case. |
|
Assuming the Mozilla spec folks get |
|
@ShijunS Any thoughts from the Edge team? |
|
I do see valid point from the concern raised by @martinthomson and @jan-ivar. User permissions are typically managed by users directly through the user agent UI and also very often kept in sync with the corresponding OS settings. The revoke() method can potentially make the user permission management more convoluted. Meanwhile, we should keep in mind that user permissions could be given and stored as either "granted" or "denied". I don't think the revoke() process has been clearly defined for all the scenarios.
I just started looking into the spec, so hope experts in the WG can help point out if I have missed anything. |
|
Just an update, we've pref'ed off |
They've moved to incubations in https://github.com/jyasskin/permissions-request and https://github.com/jyasskin/permissions-revoke. This fixes w3c#46 and fixes w3c#83.
They've moved to incubations in https://github.com/jyasskin/permissions-request and https://github.com/jyasskin/permissions-revoke. This fixes #46 and fixes #83.
The introduction says:
However, these exist in the document. Should they be removed? (I would say "yes".)
The text was updated successfully, but these errors were encountered: