From 26e9c8af38feeb9a633365b4eff9d48c6fd9cf3e Mon Sep 17 00:00:00 2001 From: Jeffrey Yasskin Date: Wed, 13 Sep 2023 23:38:24 +0200 Subject: [PATCH 1/2] Inform users when a UA administrator overrides their permission choices. --- index.html | 55 ++++++++++++++++++++++++++++++++++++++---------------- 1 file changed, 39 insertions(+), 16 deletions(-) diff --git a/index.html b/index.html index 6fbe783..8b85bf1 100644 --- a/index.html +++ b/index.html @@ -234,7 +234,8 @@

Granted:
- The user, or the user agent on the user's behalf, has given [=express permission=] to + The user, or the user agent or its [=administrator=] on the user's behalf, + has given [=express permission=] to use a [=powerful feature=]. The caller will can use the feature possibly without having the [=user agent=] asking the user's permission.
@@ -242,7 +243,8 @@

Denied:
- The user, or the user agent on the user's behalf, has denied access to this [=powerful + The user, or the user agent or its [=administrator=] on the user's behalf, + has denied access to this [=powerful feature=]. The caller will can't use the feature.
@@ -550,9 +552,11 @@

|settings|, returning |previousResult|, and the user agent has not received new information about the user's intent since that invocation, return |previousResult|. -
  • Return the instance of |name|'s [=powerful feature/extra permission data type=] - that matches the UA's impression of the user's intent, taking into account any - [=powerful feature/extra permission data constraints=] for |name|. +
  • Return the instance of |name|'s [=powerful feature/extra permission data type=] that + matches the UA's impression of the user's intent, combined with any configuration from + the user agent's [=administrator=], taking into account any [=powerful feature/extra + permission data constraints=] for |name|. If [=administrator=] configuration affected the + result, the [=user agent=] must inform the user.

    • @@ -817,18 +821,31 @@

  • If current state is not {{PermissionState/"prompt"}}, return current state and abort these steps.
    • -
  • Ask the user for express permission for the calling algorithm to use the - powerful feature described by |descriptor|. +
  • If the [=user agent=] has an [=administrator=] who has configured the [=user agent=] + to grant or deny permission for the calling algorithm to use the powerful feature + described by |descriptor|: +
      +
    1. Set |current state| to {{PermissionState/"granted"}} if the [=administrator=] + granted permission; otherwise to {{PermissionState/"denied"}}.
      2. +
    2. Inform the user of the [=administrator=]'s configuration.
      3. +
    • -
  • If the user gives [=express permission=] to use the powerful feature, set |current - state| to {{PermissionState/"granted"}}; otherwise to {{PermissionState/"denied"}}. The - user's interaction may provide new information about the user's intent for the - [=origin=]. -

    - This is intentionally vague about the details of the permission UI and how the user - agent infers user intent. User agents should be able to explore lots of UI within - this framework. -

    +
  • Otherwise: +
      +
    1. Ask the user for express permission for the calling algorithm to use the + powerful feature described by |descriptor|. +
      2. +
    2. If the user gives [=express permission=] to use the powerful feature, set |current + state| to {{PermissionState/"granted"}}; otherwise to {{PermissionState/"denied"}}. The + user's interaction may provide new information about the user's intent for the + [=origin=]. +

      + This is intentionally vague about the details of the permission UI and how the user + agent infers user intent. User agents should be able to explore lots of UI within + this framework. +

      +
      3. +
  • Let |key| be the result of [=powerful feature/permission key generation algorithm|generating a permission key=] with the [=current settings object=]. @@ -1308,6 +1325,12 @@

    A user agent SHOULD provide a means for the user to review, update, and reset the [=permission=] [=permission/state=] of [=powerful features=] associated with an [=origin=].

    +

    + Some [=user agents=] support administrators who can + override user choices about permissions, either to block permissions or to allow them on + certain sites. Overriding user choices in this way can be a privacy problem, so this + specification requires that the [=user agent=] inform users when it happens. +

    From e5f88a7bc5c1245fff994f6c0a2d8b025f9f12c4 Mon Sep 17 00:00:00 2001 From: Jeffrey Yasskin Date: Mon, 25 Sep 2023 15:45:46 -0700 Subject: [PATCH 2/2] Further distinguish UA-level admins from device-level admins. --- index.html | 26 +++++++++++++++++++------- 1 file changed, 19 insertions(+), 7 deletions(-) diff --git a/index.html b/index.html index 8b85bf1..2ee24ad 100644 --- a/index.html +++ b/index.html @@ -234,7 +234,7 @@

    Granted:
    - The user, or the user agent or its [=administrator=] on the user's behalf, + The user, or the user agent or an [=administrator=] on the user's behalf, has given [=express permission=] to use a [=powerful feature=]. The caller will can use the feature possibly without having the [=user agent=] asking the user's permission. @@ -243,7 +243,7 @@

    Denied:
    - The user, or the user agent or its [=administrator=] on the user's behalf, + The user, or the user agent or an [=administrator=] on the user's behalf, has denied access to this [=powerful feature=]. The caller will can't use the feature.
    @@ -554,9 +554,9 @@

  • Return the instance of |name|'s [=powerful feature/extra permission data type=] that matches the UA's impression of the user's intent, combined with any configuration from - the user agent's [=administrator=], taking into account any [=powerful feature/extra - permission data constraints=] for |name|. If [=administrator=] configuration affected the - result, the [=user agent=] must inform the user. + an [=administrator=], taking into account any [=powerful feature/extra permission data + constraints=] for |name|. If [=administrator=] configuration affected the result, the + [=user agent=] must inform the user.

    • @@ -821,8 +821,8 @@

  • If current state is not {{PermissionState/"prompt"}}, return current state and abort these steps.
    • -
  • If the [=user agent=] has an [=administrator=] who has configured the [=user agent=] - to grant or deny permission for the calling algorithm to use the powerful feature +
  • If an [=administrator=] has configured the [=implementation=] to grant or deny + permission for the calling algorithm to use the powerful feature described by |descriptor|:
    1. Set |current state| to {{PermissionState/"granted"}} if the [=administrator=] @@ -1331,6 +1331,18 @@

      certain sites. Overriding user choices in this way can be a privacy problem, so this specification requires that the [=user agent=] inform users when it happens.

      + +

      + These [=administrators=] might be able to configure either an individual [=user agent=] or + the device it runs on, or both. It can be a privacy problem for a device-level + [=administrator=] to control a [=powerful feature=] that primarily operates on a single + [=user agent=], and it can also be a privacy problem for a user-agent-level + [=administrator=] to control another [=powerful feature=] that operates on the device as a + whole. [=Implementations=] should take this into account when defining their administration + policies, but for now the details aren't standardized. +