Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Control API permissions #23

Open
muodov opened this issue Jul 13, 2022 · 2 comments
Open

Control API permissions #23

muodov opened this issue Jul 13, 2022 · 2 comments
Labels
agreed use case use case

Comments

@muodov
Copy link
Contributor

muodov commented Jul 13, 2022

Control API permissions

Submitter(s)

Maxim Tsoy (DuckDuckGo)

Motivation

In apps that can load arbitrary web apps, such as WebView-powered browsers, it is desirable to give users control over website permissions via custom native UI. For example, a browser can prompt a user to allow a web app to access the camera, and then show an indicator while it's being used. To allow browsers to manage permissions, we need WebView APIs to:

  • list what permissions have been set for a given site (allow/deny/query)
  • programmatically change and reset them
  • receive events when a permission is requested or used

Some examples of permissions include:

  • camera / microphone
  • geolocation
  • screen capture
  • other permissions managed with Permissions API

Stakeholders

WebView vendors (Google, Microsoft, Apple)
Browser vendors (e.g. DuckDuckGo)

Analysis

There's currently no cross-platform approach and support. Most WebViews provide events / APIs for specific permissions, but the feature parity could be better.
Some specific examples of limitations:

Related W3C deliverables and/or work items

Permissions API

How is the issue solved in the Browser, and what’s more is needed?

Non-webview Browsers have implement this using internal APIs.
@muodov muodov mentioned this issue Jul 13, 2022
Open
QingAn added a commit that referenced this issue Jul 27, 2022
@QingAn
Merge use case of issue 23
b65b38a 
Merge use case of #23
@QingAn QingAn mentioned this issue Jul 27, 2022
Merged
@QingAn
Copy link
Contributor

QingAn commented Jul 27, 2022

@muodov Please also take a look at #28

@QingAn QingAn removed the Agenda+ label Aug 3, 2022
@aluhrs13
Copy link

aluhrs13 commented Aug 8, 2022

Adding some additional thoughts - For the basic permissions cases WebView2 has a PermissionRequested event that allows the host app to directly handle permissions or show custom UI for a permission request. Since WV2 apps already have direct access to native APIs for something that would require permission for a normal web app, "bypassing" the web security makes sense. @muodov Did a great job enumerating some of the direct gaps we still have around managing permissions after the initial use-case.

One problem we've seen with WebView2 that would apply more generically here is implicitly captured in MicrosoftEdge/WebView2Feedback#2442. As the web platform evolves, these permissions are getting more and more complex. Camera, Geolocation, Notifications, etc. are all fairly simple allow or deny cases. The getDisplayMedia capability of the Screen Capture API is much more complex, with multiple tabs and options that if being given to the host app programmatically need to be customized. Making sure the approach to this problem can scale to future use-cases might need to do something like coordinate with the Permissions Registry as new permissions are added to have recomendations for how WebViews should handle them.

@muodov muodov mentioned this issue Aug 22, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
agreed use case use case
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@muodov @aluhrs13 @QingAn