-
Notifications
You must be signed in to change notification settings - Fork 27
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make implicit and explicit deny indistinguishable #120
base: main
Are you sure you want to change the base?
Make implicit and explicit deny indistinguishable #120
Conversation
This is accomplished by adding a 2-minute timeout to reject an unfulfilled promise immediately before checking for implicit denies and not rejecting the promise when the implicit or explicit deny occurs.
If this is accepted we should note in the commit message that it fixes #60. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So the idea here is that we still reject early for state-related reasons, such as there not being user interaction, but the user not answering or dismissing the prompt would result in rejection after two minutes?
This algorithm running while "in parallel" is problematic as you shouldn't (can't) mutate state on the global while "in parallel", but that's probably a follow-up. Most things can probably move to the main thread except for actually asking the user.
storage-access.bs
Outdated
@@ -244,14 +244,16 @@ To <dfn type="abstract-op">determine if a site has storage access</dfn> with [=p | |||
|
|||
To <dfn type="abstract-op">determine the storage access policy</dfn> for [=partitioned storage key=] |key| with {{Document}} |doc| and {{Promise}} |p|, run these steps: | |||
|
|||
1. [=Run steps after a timeout=] given |doc|'s {{Window}} object, `"requestStorageAccess"`, `120000`, and the following steps: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should add a comment explaining this number. Since it's a number it's not to be wrapped in code.
Similarly, instead of "requestStorageAccess"
we want "requestStorageAccess
" (quotes outside code).
And we should probably use |doc|'s <a>relevant global object</a>
here. (Which we already obtain later, so we should move that step up I suppose.)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I will clean up the code quotes, rearrange this, and add a comment explaining the magic number.
Yes, exactly.
👍 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So the idea here is that we still reject early for state-related reasons, such as there not being user interaction, but the user not answering or dismissing the prompt would result in rejection after two minutes?
Yes, exactly.
So what responses does the delay make indistinguishable, then?
It would be great if this change could come with an accompanying description of the threat and how we're mitigating it, e.g. in the Privacy & Security considerations.
1. If |implicitly granted| is true, [=queue a global task=] on the [=permission task source=] given |global| to [=/resolve=] |p|, and return. | ||
1. If |implicitly denied| is true, [=queue a global task=] on the [=permission task source=] given |global| to [=/reject=] |p| with a "{{NotAllowedError}}" {{DOMException}}, and return |p|. | ||
1. If |implicitly denied| is true, return. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this ever need to return p
at all, given that the invoking function owns p
? Maybe we should clean that up everywhere.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is the only place we returned p
in this algorithm. I don't believe we need to return it here.
With this you cannot distinguish between the end user saying "no" and the end user saying nothing. |
Anne hit it pretty well in his comment.
Sure, I can add something in a subsection there. |
I don't think that that's accurate, and we should be precise about it to ensure we hit the goals outlined in #60 (comment):
So we want to ensure that sites cannot tell whether users have seen the prompt or whether browser policies restricted it. I think this PR does that by ensuring that implementation defined steps are rejected after the timeout, but I would like to be explicit about which steps we'd like to have covered under the timeout and which are fine to reject immediately. In fact, I think if we had a way to reach this goal while still letting the site know whether the user has responded or is still pondering that would be beneficial, as this is a major usability issue for well-intentioned sites. We've learned this lesson on Firefox for Notification permission prompts which the user could leave invisibly dangling, so that sites would remain in limbo state after asking for permission. It was not nice. We could consider shortening the timeout to, say, 1 min or 30s to reduce that effect. |
I discussed this further with John and he noted that always delaying the answer by a certain amount of time might leave the user with an unresponsive user interface. You click somewhere, you get a prompt, you reply, and then nothing happens (because the browser delays resolving the promise). So instead we should probably look into delaying the case where we're not prompting with some randomized amount of time that looks identical to the user replying, but cannot be used for tracking. |
Waiting on #121 |
This is accomplished by adding a 2-minute timeout to reject an unfulfilled promise immediately before checking for implicit denies and not rejecting the promise when the implicit or explicit deny occurs.
I am open to hearing better ways to specify a timeout or Promise fulfillment testing.
I am also open to discussion of removing the timeout entirely and allowing the Promise to leak.
Preview | Diff