Matthew: this is interesting... started in 2011... in 2016 it had a CR but then retired... and now has come back in 2019... since 2022 has had loads of work... Seems pretty well fleshed out. APA had some accessibility consideraitons... these can be worked out...

Dan: we had a message from anssi .. they gave us a deadline that we've missed. the update aligns the spec with implementations. Sounds good in terms of multi implementer support.

Matthew: apa provided comments relating to a11y. On the cusp of proposing an accessibility considerations section for them, hopefully today. No major concerns - just alternatives to things that developers should provide. Didn't see anything risky from an architectural perspective. They have S&P which we should pay attention to. They are doing testing to get feedback on s&p issues.

Dan: I've reviewed their responses to the self-review - no red flags. Should we be evaluating this against our new guidence on access to devices?

Matthew: app should not be able to distinguish between denying permission and... I don't remember seeing anything along those lines but worth checking

Dan: this is an iteration on an existing thing

Matthew: we didn't land the PR

Dan: we got positive reviews and addressed the requested change

Matthew: if we're talking about permssions stuff in this principle I agree with sangwhan's review... wouldn't have expected permissions in it from the title of the issue. If we land this it's worth raising an issue for this so we think about it again, but not hold it up on this.

We're largely happy from an architectural point of view and I appreciate this is an update to an existing spec and that there is multi-implementer consensus - so great!

In line with generally tightening up our privacy-related guidance, we have just updated our wording in the Design Principles about exposing identifying information about devices and I'd like to draw your attention to it: In our new guidance in 9.1, we say "A web app should not be able to distinguish between the user rejecting permission to use a sensor/capability, and the sensor/capability not being present." From our read on the current spec, it's not clear what the behaviour is if a user rejects permission. Can you clarify?

Matthew: filed w3ctag/design-principles#479 for us to keep track of Sangwhan's review of w3ctag/design-principles#470.

Dan: Anssi got back to us... DAS WG believes the spec is compliant with the Permissions guidance, however in response to our concern they opened an issue https://github.com/w3c/deviceorientation/issues/148

Matthew: there's a typo in the permissions spec in /TR ... also I'm wondering if the permissions spec Anssi linked to ... I'm wondering if our advice is compatible?

Matthew: I don't think we can say no to them since this is in agreement with Anssi's approach.. We're saying we don't want to block devices & sensors wg work...

Hi @anssiko & @reillyeon - First of all, thanks for raising the issue in your repo in response to our feedback. We're happy to close the review on that basis.

...and... It's clear we need some harmonisation between the TAG guidance on devices and powerful features and what the WebAppSec group has developed around this topic. Thanks for bringing that to our attention. We've opened up an issue on our design principles doc https://github.com/w3ctag/design-principles/issues/481 to track.

Matthew: APA WG suggested an Accessibility Considerations section (also, it's been great working with this group, as ever).

closed as satisfied