webxr icon indicating copy to clipboard operation
webxr copied to clipboard

Published 20 hours ago verified publisher icon immersive-web

Does WebXR need a permission prompt?

Open AdaRoseCannon opened this issue 2 years ago • 7 comments

Related to #1267

It seems to me WebXR core and some additional modules aren't too much more dangerous than fullscreen.

By skipping the permission prompt for some features we can save the rather heavy blunt tool of permission prompts for situations where the user is exposed to more risk such as Raw Camera, where finding away to suitably warn users is a challenge.

We should discuss this before we set the API in stone. /facetoface

AdaRoseCannon avatar Mar 30 '22 19:03 AdaRoseCannon

Even if we don't remove it entirely it's maybe worth making a note that it's an optional feature for UAs.

AdaRoseCannon avatar Mar 30 '22 19:03 AdaRoseCannon

WebXR core exposes more fingerprinting and user profiling opportunities than full-screen, and also has power / battery implications on mobile, so it's definitely not something I'd want tracking scripts to be able to easily leverage without user awareness.

It seems likely the obvious mode-switch of the immersive sessions will prevent it being used for fingerprinting/profiling in tracking scripts, so there's a case for making the permission prompt optional for those sessions IMHO.

tangobravo avatar Apr 06 '22 09:04 tangobravo

This makes sense to me and could mitigate against the issues raised here https://github.com/w3ctag/design-reviews/issues/652.

torgo avatar Apr 13 '22 19:04 torgo

Hi I was just talking to @torgo about this.

The goal of this issue was to have a 2 level approach to allow more dangerous APIs like Raw Camera Access to be distinguished from plain AR in WebXR.

Perhaps the button mentioned in https://github.com/immersive-web/webxr/issues/1267 could help to provide an entry point without gaining explicit consent.

We discussed this at TPAC about how it could be worth while to make more explicit that the method and frequency of obtaining the consent is up-to the implementor so that implementations building both features feel empowered to mark a clear distinction between the APIs. What do you think @toji @Manishearth @cabanier ?

AdaRoseCannon avatar Jun 30 '22 13:06 AdaRoseCannon

Hi folks - just to follow this up: I'd really like us to be able to close our TAG review with a positive outcome. We're blocked on the issue that the raw camera API is way more dangerous and powerful than the regular WebXR AR functionality. This has been blocked for almost a year. I really want to see this work happen AND I also want to see it happen in a way that is consistent with the promise of the web to be a more privacy-preserving and ethical platform. I feel like if the group can agree in a differential in the privacy consideration sections of these specs then maybe that could be way forward for the TAG to close its review?

torgo avatar Jun 30 '22 14:06 torgo

Partly, I had envisioned that #1267 is just to go into immersive with no other permissions. If those are requested, it would still require a permission prompt. We have been thinking about an improved permission workflow where the user can pick and choose what permission they want to grant to the session (ie if requestSession requires hand tracking but has plane detection optional, the user would see immersive, hand tracking as required permission and have the option to enable plane tracking.)

cabanier avatar Jun 30 '22 14:06 cabanier

I'm okay with makign the prompt optional. To some extent I think the strong language there was due to the review by the privacy WG, it's worth referring back there to ensure we can

I think raw camera access should always have a prompt beyond "installed PWA" use cases.

Manishearth avatar Jun 30 '22 16:06 Manishearth