-
Notifications
You must be signed in to change notification settings - Fork 65
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Launching a PWA should qualify as a "User activation" #274
Comments
I think that ideally, the behavior is the same between PWA and browser-launched. Please, let's not flip the current behavior... let's unrestrict PWAs. |
@bradisbell I'd agree with that! |
How about asking the user once when creating/selecting a folder? From then on, the browser can have full access below the folder. |
I agree that it does seem weird that navigation by clicking a link would count as user activation while launching a PWA wouldn't. That said, this spec doesn't define what counts as user activation; that is specified (or should be specified) in the HTML spec. whatwg/html#3849 is an open issue to more accurately specify what counts as user activation, commenting on there or opening a new issue in the html spec would probably be the better place for a suggestion like this. |
Launching a PWA should be considered by the API to be a "User activation", i.e. launching should be able to to trigger the permision request for a previously picked file or directory ("Let site view files?").
Currently we have an unequal situation, and oddly the situation is worse for installed PWAs than it is for an app launched from a third-party link. Consider these two scenarios, for an app where the user has (in a previous session) picked a file to work on, and the file handle has been serialized to IndexedDB:
If I provide a link to my app from a third-party web site, then when the user clicks this link, the app will launch and it can immediately (if I wish) ask for permission to view the previously picked file. The user only has to click once in the app to provide permission.
However, if my app is installed as a PWA, and the user launches it from its icon in the OS interface (at least on Windows), then when the app requests permission to access a previously picked file, it throws an error (in console) "DOMException: User activation is required to request permissions". I have to wait for the user to click a link I have provided in the UI before I can trigger the permsision request. In this scenario, the user has to click twice in the app to provide permission (once on a link in the app, and then again in the permissions dialogue).
Why is scenario 1 treated as more secure than scenario 2? Surely it should be the other way round?
The text was updated successfully, but these errors were encountered: