#703: HIDDevice forget()

Visit on Github.

Opened Dec 27, 2021

Braw mornin' TAG!

I'm requesting a TAG review of the forget() method for HIDDevice.

The forget() method allows web developers to voluntarily revoke a permission to a HIDDevice that was granted by a user.

Some sites may not be interested in retaining long-term permissions to access a HID device. For example, for an educational web application used on a shared computer with many devices, a large number of accumulated user-generated permissions creates a poor user experience. In addition to user agent mitigations to avoid this problem, such as defaulting to a session scoped permission on the first request or expiring infrequently used permissions, it should be possible for the site itself to clean up user-generated permissions it is no longer interested in retaining.

// Request any HID device.
const [device] = await navigator.hid.requestDevice({ filters: [] });

// Then later... revoke permission to the HID device.
await device.forget();

⚠️ We expect similar functionality in Web Bluetooth, WebUSB, and the Serial API to be added.

Further details:

  • I have reviewed the TAG's Web Platform Design Principles
  • The group where the incubation/design work on this is being done (or is intended to be done in the future): WICG
  • The group where standardization of this work is intended to be done ("unknown" if not known):
  • Existing major pieces of multi-stakeholder review or discussion of this design:
  • Major unresolved issues with or opposition to this design:
  • This work is being funded by: Google

You should also know that we're eager to hear the TAG's opinion on a method like this given that navigator.permissions.revoke() is non-standard.

We'd prefer the TAG provide feedback as:

💬 leave review feedback as a comment in this issue and @-notify @beaufortfrancois

Discussions

Discussed Feb 1, 2022 (See Github)

Sangwhan: this is lgtm - obvious addition - we should think about adding more of this pattern - allow apps to give up permissions and request as they see they need it. Right now the permissions dialog - people don't give a damn about it (data shows).

Dan: can we cite published results about that?

Sangwhan: https://developer.chrome.com/blog/permissions-chip/ -- "most permissions dismissed or ignored" -- maybe we should revisit permissions in web architecture.

Dan: that brings the topic of permissions budget or privacy budget...

Sangwhan: back to original topic - forget is a mechanism for a web site to - they have a handle to the device - and forget releases that handle.

Dan: why would they do that?

Dan: Left a comment - maybe we can still aim to close this week.

François left a response -- we can discuss more in the plenary

Max: what is the user interaction? If the HID device forgets, does this notify the user?

Sangwhan: there's no interaction from the user end, the user is not notified

Dan: but after it's forgotten if it needs to be reacquired a new permission request will have to be made.

Discussed Feb 1, 2022 (See Github)

agreed to close

Comment by @beaufortfrancois Feb 8, 2022 (See Github)

FYI We've just sent an intent to ship on blink-dev at https://groups.google.com/a/chromium.org/g/blink-dev/c/Fk-IJF63UWc

Comment by @torgo Feb 8, 2022 (See Github)

Hi @beaufortfrancois one question - does this assume that there will be a future "privacy budget" type mechanism that would encourage web apps to revoke no-longer-needed permissions in order to acquire other permissions? Just curious to understand more about the use case - and especially the user need. Also there is no explainer. Although it's clear this is a small addition to an existing spec I think it could benefit from at least a small explainer to put this in context of the user need. Also if there are privacy & security requirements behind this feature then could you amend the security & privacy questionnaire responses accordingly?

Comment by @beaufortfrancois Feb 8, 2022 (See Github)

Hi @beaufortfrancois one question - does this assume that there will be a future "privacy budget" type mechanism that would encourage web apps to revoke no-longer-needed permissions in order to acquire other permissions?

It doesn't assume this type of mechanism.

Just curious to understand more about the use case - and especially the user need. Also there is no explainer. Although it's clear this is a small addition to an existing spec I think it could benefit from at least a small explainer to put this in context of the user need.

Websites used by multiple users (e.g. students) on a machine/browser will want to provide a way for their users to clean their devices as it would clutter the list of devices already granted to them.

Some websites may also want to offer some kind of "Connected Devices" panel to their users in which all their devices that have been granted HID connectivity would be listed and offer them a way to revoke this access.

Screenshot below shows you what it looks like in Chrome browser. Websites will want to provide the same functionalities with a potential "reset all" button for instance.

image

Also if there are privacy & security requirements behind this feature then could you amend the security & privacy questionnaire responses accordingly?

I didn't find one. requestDevice() grants you access to HID devices. forget() simply lets you forget manually. Users could already perform that action from the browser.

Comment by @maxpassion Feb 8, 2022 (See Github)

One clarification question: What is the expected user interaction when HIDDevice forget() is invoked? Will it notify the user?

Comment by @beaufortfrancois Feb 8, 2022 (See Github)

The browser won't notify the user. It is expected that the website provides a UI to revoke access to a HID device. You can try it in Chrome Canary at https://hiddevice-forget.glitch.me with the "Experimental Web Platform Features" flag.

Comment by @beaufortfrancois Feb 10, 2022 (See Github)

FYI We're shipping this in Chrome 100. See https://twitter.com/quicksave2k/status/1491709997138464768

Comment by @beaufortfrancois Feb 11, 2022 (See Github)

Developer documentation can be found at https://web.dev/hid/#revoke-access

Comment by @cynthia Feb 15, 2022 (See Github)

Thanks for the clarification, happy that this work is moving forward. We will also take note to revisit parts of the platform where such patterns (returning permissions) might be necessary.

Comment by @beaufortfrancois Feb 23, 2022 (See Github)

FYI We've just sent another intent to ship for USBDevice forget() at https://groups.google.com/a/chromium.org/g/blink-dev/c/pSM2W0TtKEI