Empowered apps

[tidoust]

Professional applications need to access lower level features, which cannot be exposed on the Web at large to avoid abuse by malicious sites. What mechanism could be used to allow for a different trust model for certain apps?

Raised in:

• Whatever can be done, will be done

[chrisn]

This talk discusses how to grant access to powerful features . One approach I've seen discussed in the Device and Sensors WG is semantic permission bundles, which could group together multiple related permissions under one user prompt. There is also a proposal from Microsoft for granting permissions for PWAs at install time. See:

• Minutes from Device and Sensors WG meeting at TPAC 2021
• Semantic Permission Bundles permissions#191
• https://github.com/MicrosoftEdge/MSEdgeExplainers/blob/main/InstallTimePermissionsPrompt/Explainer.md

[chrisguttandin]

I think it would be great if permissions could be granted/revoked/denied programmatically when running automated tests. I just found out that there is a Browser Testing and Tools Working Group. Maybe this is of interest for them.

So far there are some flags one can set when starting Chromium browsers or Firefox but they are not very well documented. At least to my knowledge this page is the most extensive list of Chromium flags which may or may not work any longer.

It's also possible to change permissions via the Chrome DevTools Protocol. It has experimental support for a Browser.grantPermissions and Browser.resetPermissions method.

All browsers allow to manually grant or revoke permissions but that doesn't really help when running automated tests.

[rektide]

Professional applications need to access lower level features,

I generally agree. What are some examples we can think of for permissions that would be useful?