Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Inform users when a UA administrator overrides their permission choices. #420

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Inform users when a UA administrator overrides their permission choices. #420

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
26e9c8a
Inform users when a UA administrator overrides their permission choices.
jyasskin Sep 13, 2023
e5f88a7
Further distinguish UA-level admins from device-level admins.
jyasskin Sep 25, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
67 changes: 51 additions & 16 deletions index.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -234,15 +234,17 @@ <h3>
<dfn class="export" data-local-lt="grant" data-dfn-for="permission">Granted</dfn>:
</dt>
<dd>
The user, or the user agent on the user's behalf, has given [=express permission=] to
The user, or the user agent or an [=administrator=] on the user's behalf,
has given [=express permission=] to
use a [=powerful feature=]. The caller will can use the feature possibly without having
the [=user agent=] asking the user's permission.
</dd>
<dt>
<dfn class="export" data-dfn-for="permission">Denied</dfn>:
</dt>
<dd>
The user, or the user agent on the user's behalf, has denied access to this [=powerful
The user, or the user agent or an [=administrator=] on the user's behalf,
has denied access to this [=powerful
feature=]. The caller will can't use the feature.
</dd>
</dl>
Expand Down Expand Up @@ -550,9 +552,11 @@ <h2>
|settings|, returning |previousResult|, and the user agent has not received <a>new
information about the user's intent</a> since that invocation, return |previousResult|.
</li>
<li>Return the instance of |name|'s [=powerful feature/extra permission data type=]
that matches the UA's impression of the user's intent, taking into account any
[=powerful feature/extra permission data constraints=] for |name|.
<li>Return the instance of |name|'s [=powerful feature/extra permission data type=] that
matches the UA's impression of the user's intent, combined with any configuration from
an [=administrator=], taking into account any [=powerful feature/extra permission data
constraints=] for |name|. If [=administrator=] configuration affected the result, the
[=user agent=] must inform the user.
</li>
</ol>
<p>
Expand Down Expand Up @@ -817,18 +821,31 @@ <h3 id="requesting-more-permission">
<li>If <var>current state</var> is not {{PermissionState/"prompt"}}, return <var>current
state</var> and abort these steps.
</li>
<li>Ask the user for <a>express permission</a> for the calling algorithm to use the
<a>powerful feature</a> described by |descriptor|.
<li>If an [=administrator=] has configured the [=implementation=] to grant or deny
permission for the calling algorithm to use the <a>powerful feature</a>
described by |descriptor|:
<ol>
<li>Set |current state| to {{PermissionState/"granted"}} if the [=administrator=]
granted permission; otherwise to {{PermissionState/"denied"}}.</li>
<li>Inform the user of the [=administrator=]'s configuration.</li>
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Similarly here, should we only inform the user if the admin configuration forced a 'grant' result?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems to assume the policy is being applied in real time?

</ol>
</li>
<li>If the user gives [=express permission=] to use the powerful feature, set |current
state| to {{PermissionState/"granted"}}; otherwise to {{PermissionState/"denied"}}. The
user's interaction may provide <a>new information about the user's intent</a> for the
[=origin=].
<p class="note">
This is intentionally vague about the details of the permission UI and how the user
agent infers user intent. User agents should be able to explore lots of UI within
this framework.
</p>
<li>Otherwise:
<ol>
<li>Ask the user for <a>express permission</a> for the calling algorithm to use the
<a>powerful feature</a> described by |descriptor|.
</li>
<li>If the user gives [=express permission=] to use the powerful feature, set |current
state| to {{PermissionState/"granted"}}; otherwise to {{PermissionState/"denied"}}. The
user's interaction may provide <a>new information about the user's intent</a> for the
[=origin=].
<p class="note">
This is intentionally vague about the details of the permission UI and how the user
agent infers user intent. User agents should be able to explore lots of UI within
this framework.
</p>
</li>
</ol>
</li>
<li>Let |key| be the result of [=powerful feature/permission key generation
algorithm|generating a permission key=] with the [=current settings object=].
Expand Down Expand Up @@ -1308,6 +1325,24 @@ <h2 id="privacy-considerations">
A user agent SHOULD provide a means for the user to review, update, and reset the
[=permission=] [=permission/state=] of [=powerful features=] associated with an [=origin=].
</p>
<p>
Some [=user agents=] support <dfn data-lt="administrator">administrators</dfn> who can
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I expect the <dfn> to move somewhere else, perhaps Infra, in the future, but I think the discussion about putting it there will be easier if it's already used in a spec or two first.

override user choices about permissions, either to block permissions or to allow them on
certain sites. Overriding user choices in this way can be a privacy problem, so this
specification requires that the [=user agent=] inform users when it happens.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Out of curiosity, do any browsers in managed environments expose admin set permissions today?

On my work laptop, I see the following in settings in Chrome:
Screenshot 2023-09-15 at 3 30 56 PM

And the following in Firefox settings:

Screenshot 2023-09-15 at 3 31 00 PM

Copy link
Member Author

@jyasskin jyasskin Sep 25, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Chrome has a couple that are exposed like
calendar.google.com site info panel showing Notifications, Allowed, and "Managed by your organization"
and
"HID devices with usages from usage page F1D0" allowed to chrome-extension://ckcendljdlmgnhghiaomidhiiclmapok/. This setting is managed by your administrator.

</p>
<aside class="note">
[=Administrators=] often configure [=user agents=] through "enterprise policy".
</aside>
<p>
These [=administrators=] might be able to configure either an individual [=user agent=] or
the device it runs on, or both. It can be a privacy problem for a device-level
[=administrator=] to control a [=powerful feature=] that primarily operates on a single
[=user agent=], and it can also be a privacy problem for a user-agent-level
[=administrator=] to control another [=powerful feature=] that operates on the device as a
whole. [=Implementations=] should take this into account when defining their administration
policies, but for now the details aren't standardized.
</p>
</section>
<section id="security-considerations">
<h2>
Expand Down