04/29/2011

Proposal for a web application descriptor

Problem:

More and more really neat features are coming to web applications. These features include local file system access, access to cameras and microphones, geo locations services and many more. To minimize security risks and to protect the user’s private data current web browser generations ask for permission before they grant access to these services. This gets problematic when a browser has to ask for several permissions at the same time. Figure 1 illustrates this behaviour as seen in Google Chrome. As shown in Figure 2 Mozilla Firefox handles this even worse as the two dialogs overlap.

Figure 1: Google Chrome displaying two permission dialogs at the same time

Figure 2: Mozilla Firefox displaying two permission dialogs at the same time

In both cases the permission dialogs might confuse the user and the more permissions have to be asked for the more confusing this might get. It would therefore be very nice to have a consolidated permission dialog asking for all permissions at once.

Normally, this would not concern any web standard since this would be strictly an UI issue, but the problem is not that easy to solve at UI level because permissions are not questioned while the application is loading but while each individual feature is used for the first time.

Proposed solution:

I recently installed an Android application on a mobile phone and saw that it shows the user which features it would like to access. The user sees this all at once and can transparently view the requirements for this application. Therefore, I suggest a similar behaviour for web applications.

A simple text or xml file (see Listing 1) could be included in any web application indicating which features this particular application want to use. The descriptor could be a sophisticated xml file or a simple plain text file similar to the cache manifest syntax used in HTML 5.

    <?xml version="1.0" encoding="UTF-8"?>
    <webapp>
        <title>Permissions</title>
        <vendor>Simon Heckmann</vendor>
        <permission>
            <identifier>Location Service</identifier>
        </permission>
        <permission>
            <identifier>Camera</identifier>
        </permission>
        <permission>
            <identifier>Microphone</identifier>
        </permission>
        <permission>
            <identifier>Local Data</identifier>
            <value unit="MB">100</value>
        </permission>
        <permission>
            <identifier>Notifications</identifier>
        </permission>
    </webapp>

Listing 1: Sample web application descriptor with filename the “app.descriptor”

Including such a web application descriptor could be done with simple html mark-up:

<html lang="en" manifest="offline.manifest" descriptor="app.descriptor">

Listing 2: Including the web application descriptor in an html file

The user agent (browser) could then present a single dialog which allows the user to maintain the permissions for this site. Figure 3 and Figure 4 show how this could look like in the two browsers used in the problem statement. Displaying the permissions icon all the time would allow to quickly jump back to the permission settings of a particular site an change them.

Figure 3: Mock-up of the proposed solution in Google Chrome

Figure 4: Mock-up of the proposed solution in Mozilla Firefox

PDF version of this document