[w3c/permissions] Introduce "Automation" section (#151) from jugglinmike on 2017-06-20 (public-webapps-github@w3.org from June 2017)

From: jugglinmike <notifications@github.com>
Date: Tue, 20 Jun 2017 13:04:18 -0700
To: w3c/permissions <permissions@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/permissions/pull/151@github.com>

(Rendered version available at https://bocoup.github.io/permissions/index.html#automation)

The goal of this patch is to support user-agent automation and application testing for integration with the Permissions API. It's based on [a recent mailing list discussion](http://lists.w3.org/Archives/Public/public-webappsec/2017May/0001.html) and [subsequent "brainstorming"
document](https://docs.google.com/document/d/1Oe4VhgdFnZ6ID3WGyG97n_b1khvYsRcX7T4ddNcyJ9A/edit#heading=h.xws79928vxeg). There, we decided that it would be necessary to simulate user response to "pending" requests from the "request permission to use" and "prompt the user to choose" algorithms. However, the specification does not currently track these requests outside of the algorithms themselves. Automation introduces the need for two operations:

1. Retrieving pending requests
2. Request differentiation

Both of these could certainly be implemented in formal specification language, though this would involve modification of sections other than "Automation". In some ways, we are breaking new ground here, and I am reluctant to complicate this specification (or any other) with normative text that does not directly further the use case. So for this initial draft, I have erred on the side of minimalism. More specifically:

1. I have implemented request retrieval with the text: "each 'request
permission to use' operation that is awaiting user input" and "each 'prompt
the user to choose' operation that is awaiting user input". Is that
sufficient?
2. I'm assuming that one the requests have been retrieved, they may be uniquely
identified by the permission descriptor that was used to create them. My
understanding is that although the UA may choose to present requests to the
user in a number of different ways (i.e. consolidating parallel requests for
distinct Bluetooth devices), each request must still be associated with a
single permission descriptor as specified through the JavaScript API. When
it comes to simulating user denial, this approach conflates "use" requests
and "choose" requests under the assumption that a given permission
descriptor will never describe both kinds of requests simultaneously. Is
that accurate?

Separately, it looks as though there is no restriction on the value type for options available in "prompt the user to choose." Is this intentional? For now, the proposed automation language is similarly type-neutral.

...but these are just the potential problems that I've identified. I welcome feedback of any kind, of course!

cc @shs96c @foolip
You can view, comment on, or merge this pull request online at:

https://github.com/w3c/permissions/pull/151

-- Commit Summary --

* Introduce "Automation" section

-- File Changes --

M index.bs (228)

-- Patch Links --

https://github.com/w3c/permissions/pull/151.patch
https://github.com/w3c/permissions/pull/151.diff

--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/permissions/pull/151

Received on Tuesday, 20 June 2017 20:05:01 UTC