[whatwg] Proposal for a web application descriptor

Henri Sivonen hsivonen at iki.fi
Mon May 2 02:47:26 PDT 2011

On Sat, 2011-04-30 at 09:52 -0400, Glenn Maynard wrote:
> > Asking for specific permissions in the context of a user action is 
> > the
> > only model that makes sense to me. When applications ask for a big 
> > bundle of
> > permissions in advance, how can I as a user know what to do? I'm
> > sure to get
> > into a habit of either blindly denying the permissions (crippling
> > applications), or granting the permissions (terrible for security).
> >
> > While some Mozilla developers may think "big bundle of permissions"
> > is a
> > good idea, others such as me do not.
> I'd wonder what their response is to Android; the problems on that
> platform
> are obvious.  The result is exactly as you say: people end up giving
> up and
> just accepting everything. 

There's also the problem that legitimate permission requests that lack
context make people who understand the implications needlessly cautious.
For example, some of my friends were suspicious of Firefox for Android
wanting access to geolocation. The request for the permission wasn't in
the context of an explanation of how Firefox uses that system API to
implement the Web geolocation API and has its own authorization UI layer
on top of it.

(I think asking for a specific permission in the context of a user
interaction is better than asking for a bunch of stuff up front.)

Henri Sivonen
hsivonen at iki.fi

More information about the whatwg mailing list