Skip to toolbar

Community & Business Groups

Trust & Permissions Community Group

As the Open Web Platform expands, and apps are developed that access various sensitive resources, new ways of managing permissions to access these resources are likely to arise. This Community Group will explore and evaluate such ways based upon experience with native and hybrid platforms, and drawing upon research studies. This follows on from the Paris meeting on trust and permissions held on 3-4 September 2014, see [1]. Resources vary in sensitivity and timeliness, e.g. when and to whom a password should be disclosed is quite different from when access to the user’s webcam should be granted. Similarly, modes of obtaining user permission vary, including asking users upfront for permission when an app is installed or first run (exemplified in Android and Windows) or asking users for permission when the application is attempting to use a given capability (exemplified in iOS) and permission can even be obtained after the fact by inviting the user to continue or to cancel an action after it has occurred, i.e. asking for forgiveness rather than permission. In some cases, the user's actions can be taken as implicitly granting permission, such as the Windows file chooser dialog. A further approach is for users to delegate decisions on permissions to a trusted 3rd party. The goal of this CG is to develop and articulate best practices for which modes of obtaining permission best match which resource types, and make these best practices available to both platform developers (browser and operating system vendors) and app developers. Ideally the APIs offered to apps to obtain permission to access resources should be consistent across platforms, while allowing platforms the flexibility to present a user experience that meets each platform’s needs. The scope of this Community Group is limited to discussion and guidance on best practices, to review draft APIs from individual WG's, and pre-standardization work on promising ideas for better user experience obtaining permission, including trusted UI and trust delegation per Roesner et al, see [2]. Work on best practices will focus on the kinds of resources that need protection, the enumeration of good ways to obtain user permission, to dis-recommend permission models that are known to be problematic, and to recommend the preferred user experience for a given kind of resource. The main focus is on the Open Web Platform, but packaged apps are not excluded. This group will not publish Specifications. [1] http://www.w3.org/2014/07/permissions/ [2] http://research.microsoft.com/pubs/152495/user-driven-access-control-nov2011.pdf

Group's public email, repo and wiki activity over time

Note: Community Groups are proposed and run by the community. Although W3C hosts these conversations, the groups do not necessarily represent the views of the W3C Membership or staff.

No Reports Yet Published

Learn more about publishing.

Chairs, when logged in, may publish draft and final reports. Please see report requirements.

This group does not have a Chair and thus cannot publish new reports. Learn how to choose a Chair.

Call for Participation in Trust & Permissions Community Group

The Trust & Permissions Community Group has been launched:


As the Open Web Platform expands, and apps are developed that access various sensitive resources, new ways of managing permissions to access these resources are likely to arise. This Community Group will explore and evaluate such ways based upon experience with native and hybrid platforms, and drawing upon research studies. This follows on from the Paris meeting on trust and permissions held on 3-4 September 2014, see [1].

Resources vary in sensitivity and timeliness, e.g. when and to whom a password should be disclosed is quite different from when access to the user’s webcam should be granted. Similarly, modes of obtaining user permission vary, including asking users upfront for permission when an app is installed or first run (exemplified in Android and Windows) or asking users for permission when the application is attempting to use a given capability (exemplified in iOS) and permission can even be obtained after the fact by inviting the user to continue or to cancel an action after it has occurred, i.e. asking for forgiveness rather than permission. In some cases, the user’s actions can be taken as implicitly granting permission, such as the Windows file chooser dialog. A further approach is for users to delegate decisions on permissions to a trusted 3rd party.

The goal of this CG is to develop and articulate best practices for which modes of obtaining permission best match which resource types, and make these best practices available to both platform developers (browser and operating system vendors) and app developers. Ideally the APIs offered to apps to obtain permission to access resources should be consistent across platforms, while allowing platforms the flexibility to present a user experience that meets each platform’s needs.

The scope of this Community Group is limited to discussion and guidance on best practices, to review draft APIs from individual WG’s, and pre-standardization work on promising ideas for better user experience obtaining permission, including trusted UI and trust delegation per Roesner et al, see [2]. Work on best practices will focus on the kinds of resources that need protection, the enumeration of good ways to obtain user permission, to dis-recommend permission models that are known to be problematic, and to recommend the preferred user experience for a given kind of resource. The main focus is on the Open Web Platform, but packaged apps are not excluded.

This group will not publish Specifications.

[1] http://www.w3.org/2014/07/permissions/
[2] http://research.microsoft.com/pubs/152495/user-driven-access-control-nov2011.pdf


In order to join the group, you will need a W3C account.

This is a community initiative. This group was originally proposed on 2015-01-15 by Dave Raggett. The following people supported its creation: Dave Raggett, Mike O'Neill, Dominique Hazaël-Massieux, Wayne Carr, Wendy Seltzer. W3C’s hosting of this group does not imply endorsement of the activities.

The group must now choose a chair. Read more about how to get started in a new group and good practice for running a group.

We invite you to share news of this new group in social media and other channels.

If you believe that there is an issue with this group that requires the attention of the W3C staff, please email us at site-comments@w3.org

Thank you,
W3C Community Development Team