Inform users when a UA administrator overrides their permission choices. #420
Conversation
index.html
Outdated
| permission data constraints=] for |name|. If [=administrator=] configuration affected the | ||
| result, the [=user agent=] must inform the user. | ||
| </li> |
There was a problem hiding this comment.
I think this is how to integrate Chrome's WebUsbAllowDevicesForUrls policy, which I believe adds to the set of devices that https://wicg.github.io/webusb/#dom-usb-getdevices returns by default. @reillyeon might correct me.
This text says to inform the user if configuration affects the result either by adding or removing things. Is that right, or should we only inform the user if admin configuration adds to the page's abilities?
There was a problem hiding this comment.
Yes, enterprise policy adds additional entries to the result of getDevices(). As implemented it cannot remove entries but I could see that as a possibility.
| <ol> | ||
| <li>Set |current state| to {{PermissionState/"granted"}} if the [=administrator=] | ||
| granted permission; otherwise to {{PermissionState/"denied"}}.</li> | ||
| <li>Inform the user of the [=administrator=]'s configuration.</li> |
There was a problem hiding this comment.
Similarly here, should we only inform the user if the admin configuration forced a 'grant' result?
There was a problem hiding this comment.
This seems to assume the policy is being applied in real time?
| @@ -1308,6 +1325,12 @@ <h2 id="privacy-considerations"> | |||
| A user agent SHOULD provide a means for the user to review, update, and reset the | |||
| [=permission=] [=permission/state=] of [=powerful features=] associated with an [=origin=]. | |||
| </p> | |||
| <p> | |||
| Some [=user agents=] support <dfn data-lt="administrator">administrators</dfn> who can | |||
There was a problem hiding this comment.
I expect the <dfn> to move somewhere else, perhaps Infra, in the future, but I think the discussion about putting it there will be easier if it's already used in a spec or two first.
index.html
Outdated
| @@ -817,18 +821,31 @@ <h3 id="requesting-more-permission"> | |||
| <li>If <var>current state</var> is not {{PermissionState/"prompt"}}, return <var>current | |||
| state</var> and abort these steps. | |||
| </li> | |||
| <li>Ask the user for <a>express permission</a> for the calling algorithm to use the | |||
| <a>powerful feature</a> described by |descriptor|. | |||
| <li>If the [=user agent=] has an [=administrator=] who has configured the [=user agent=] | |||
There was a problem hiding this comment.
This implies that administrators are always using enterprise policy, while https://w3ctag.github.io/privacy-principles/#dfn-administrator implies that a user who owns their own device is that device's administrator. We could make either meaning work, but this meaning seems to produce simpler spec text. If we go with this, we should eventually rewrite the Privacy Principles to match.
| Some [=user agents=] support <dfn data-lt="administrator">administrators</dfn> who can | ||
| override user choices about permissions, either to block permissions or to allow them on | ||
| certain sites. Overriding user choices in this way can be a privacy problem, so this | ||
| specification requires that the [=user agent=] inform users when it happens. |
There was a problem hiding this comment.
Out of curiosity, do any browsers in managed environments expose admin set permissions today?
On my work laptop, I see the following in settings in Chrome:
And the following in Firefox settings:
There was a problem hiding this comment.
Chrome has a couple that are exposed like
and
|
This feels like it should restricted to Privacy Consideration rather than affecting the algorithms. |
|
I don't think we should do the whole thing as a COMEFROM from the Privacy Considerations, but we could move some of the acknowledgement of the administrator's existence to, say, https://pr-preview.s3.amazonaws.com/jyasskin/permissions/pull/420.html#dfn-permission. Then the discussion of how to notify the user could live in the Privacy Considerations. Does that make more sense to you @marcoscaceres? |
This is still somewhat exploratory, to see if this is a good way to explain how UAs should handle cases where their enterprise policies override user choices about permissions. It implements https://w3ctag.github.io/privacy-principles/#device-administrators for this spec, and the idea to try it out here came from the Standardizing managed user agent behavior session at TPAC 2023.
@reillyeon, can you cc in whichever Chrome enterprise folks should pay attention? @timcappalli are you the right person to check this for Microsoft's enterprise system?
The following tasks have been completed:
Implementation commitment:
Preview | Diff