Page Embedded Permission Control (PEPC): Safely embedding permission entry points in web content

[b1tr0t]

Session description

This breakout will continue past discussions of the Page Embedded Permission Control (PEPC). We will discuss safe, consistent mechanisms for web developers to link into browser UI surfaces, starting with permissions. Other examples of browser controls which could be embedded include content settings, a PWA install trigger, an installed app management surface, federated login, autofill or other browser settings. To date discussion has focused on the permissions use case, and while we would like to continue this discussion we believe the concept could be applicable to other use cases.

As web apps grow more sophisticated, rivaling native apps in capability and complexity, users can become confused as to how to access important settings that affect their ability to use apps. For example, in addition to origin scoped Permissions, PWAs can have application settings scoped to the application.

Websites can try to help users by providing guided instructions into browser UI surfaces but (1) this normalizes a safety anti-pattern and should not be encouraged even in legitimate sites as malicious websites are excellent at deceiving users into making unsafe changes to their settings, (2) instructions are inconvenient for the user, difficult to maintain for developers and frequently fail to help and (3) these types of instructions present extra challenges for accessibility.

This session will continue the dialog on providing in page access to permission settings, including implications for the underlying browser permission model, while expanding the discussion to include problem spaces beyond permissions. We will present preliminary usage data and developer feedback from the PEPC prototype for permissions as context for conversation.

Session goal

Gather community feedback on the use cases and requirements for a general solution to providing safe entry points into browser UI surfaces from web content while laying out an incremental roadmap. Discuss whether (1) the problem space warrants solutions, (2) the requirements of a solution, (3) how the PEPC as prototyped stacks up against requirements, (4) alternative ways the requirements could be addressed.

Additional session chairs (Optional)

@andypaicu, @heisenburger, @mharbach, @engedy

Who can attend

Anyone may attend (Default)

IRC channel (Optional)

#pepc

Other sessions where we should avoid scheduling conflicts (Optional)

#8

Instructions for meeting planners (Optional)

No response

Agenda for the meeting.

Presentation Deck

Links to calendar

• 2024-09-25, 10:00 - 11:00

Meeting materials

• Slides
• Minutes

[tpac-breakout-bot]

Thank you for proposing a session!

You may update the session description as needed and at any time before the meeting, but please keep in mind that tooling relies on issue formatting: follow the instructions and leave all headings and other formatting intact in particular. Bots and W3C meeting organizers may also update the description, to fix formatting issues or add links and other relevant information. Please do not revert these changes. Feel free to use comments to raise questions.

Do not expect formal approval; W3C meeting organizers endeavor to schedule all proposed sessions that are in scope for a breakout. Actual scheduling should take place shortly before the meeting.