Design Review #703

#703: HIDDevice forget()

Opened Dec 27, 2021

Braw mornin' TAG!

I'm requesting a TAG review of the forget() method for HIDDevice.

The forget() method allows web developers to voluntarily revoke a permission to a HIDDevice that was granted by a user.

Some sites may not be interested in retaining long-term permissions to access a HID device. For example, for an educational web application used on a shared computer with many devices, a large number of accumulated user-generated permissions creates a poor user experience. In addition to user agent mitigations to avoid this problem, such as defaulting to a session scoped permission on the first request or expiring infrequently used permissions, it should be possible for the site itself to clean up user-generated permissions it is no longer interested in retaining.

// Request any HID device.
const [device] = await navigator.hid.requestDevice({ filters: [] });

// Then later... revoke permission to the HID device.
await device.forget();

⚠️ We expect similar functionality in Web Bluetooth, WebUSB, and the Serial API to be added.

Explainer¹ (minimally containing user needs and example code): https://github.com/WICG/webhid/pull/84
User research: None
Security and Privacy self-review²: None yet for this specific feature - https://github.com/WICG/webhid/blob/gh-pages/security-and-privacy-questionnaire.md is the one for WebHID
GitHub repo (if you prefer feedback filed there): [url]
Primary contacts (and their relationship to the specification):
- François Beaufort (@beaufortfrancois, Google)
- Matt Reynolds (@nondebug, Google)
Organization/project driving the design: WICG
External status/issue trackers for this feature (publicly visible, e.g. Chrome Status): https://chromestatus.com/feature/5723581527883776

Further details:

I have reviewed the TAG's Web Platform Design Principles
The group where the incubation/design work on this is being done (or is intended to be done in the future): WICG
The group where standardization of this work is intended to be done ("unknown" if not known):
Existing major pieces of multi-stakeholder review or discussion of this design:
Major unresolved issues with or opposition to this design:
This work is being funded by: Google

You should also know that we're eager to hear the TAG's opinion on a method like this given that navigator.permissions.revoke() is non-standard.

We'd prefer the TAG provide feedback as:

💬 leave review feedback as a comment in this issue and @-notify @beaufortfrancois

Discussions

2022-02-07

Minutes

Sangwhan: this is lgtm - obvious addition - we should think about adding more of this pattern - allow apps to give up permissions and request as they see they need it. Right now the permissions dialog - people don't give a damn about it (data shows).

Dan: can we cite published results about that?

Sangwhan: https://developer.chrome.com/blog/permissions-chip/ -- "most permissions dismissed or ignored" -- maybe we should revisit permissions in web architecture.

Dan: that brings the topic of permissions budget or privacy budget...

Sangwhan: back to original topic - forget is a mechanism for a web site to - they have a handle to the device - and forget releases that handle.

Dan: why would they do that?

Dan: Left a comment - maybe we can still aim to close this week.

François left a response -- we can discuss more in the plenary

Max: what is the user interaction? If the HID device forgets, does this notify the user?

Sangwhan: there's no interaction from the user end, the user is not notified

Dan: but after it's forgotten if it needs to be reacquired a new permission request will have to be made.

2022-02-14

Minutes

agreed to close