This document identifies the permissions that are needed to use specific client-side APIs which grant access to sensitive data and operations.
Work on this document has been discontinued and it should not be referenced or used as a basis for implementation.

The Permissions API developed by the Device API Working Group was defined to identify permissions needed to grant access to sensitive data and operations. The Device APIs WG has decided to discontinue the work (call for consensus to shelve) on the original Permissions API.

Introduction

A number of Web APIs, in particular those used to access private or sensitive data from the hosting device, are meant to be discoverable, as well as disabled or enabled on a site-by-site or application-by-application basis, depending on the security context.

For instance, the feature element as defined in the Widget Packaging and Configuration specification [[WIDGETS]] allows a widget runtime engine to grant access only to the specific APIs that the configuration file of the widget listed.

This document identifies and names the various permissions that are attached to existing Web APIs.

Permissions

Each permission described in this document is identified using a string specified in this document.

Where these permissions needed to be identified as a URI (e.g. in a widget configuration file [[WIDGETS]]), a URI can be built from these strings by appending that string to the base http://www.w3.org/ns/api-perms/.

The DAP base URI is entirely tentative at this stage.

Geolocation API

The geolocation identifier corresponds to the access to both or either of the Geolocation::getCurrentPosition and Geolocation::watchPosition methods defined in the Geolocation API [[!GEOLOCATION-API]].

In the Web browser environment, this permission is usually granted through explicit user’s consent, and is retained for later access in the same session.

Contact API

The contacts.read identifier corresponds to the access to the Contacts::find method defined in the Contacts API [[!CONTACTS-API]].

In the Web browser environment, this permission is usually granted implicitly by asking the user to select what data of which contacts should be shared, for each call to the said method.

Capture API

The mediacapture identifier corresponds to the access to the Capture::captureImage, Capture::captureVideo and Capture::captureAudio methods defined in Media Capture API [[!MEDIACAPTURE-API]].

In the Web browser environment, this permission is usually granted implicitly by asking the user to activate a button to start and stop the recording operations, for each call to the said methods.

File API

The file.read identifier corresponds to the access to the FileReader::readAsArrayBuffer, FileReader::readAsBinaryString, FileReader::readAsText and FileReader::readAsDataURL methods defined in the File API [[!FILE-API]].

In the Web browser environment, this permission is usually granted implicitly once the File object has been created, after the user has selected a file from a file picker, and is retained for later access in the same browsing context.

The file.write identifier corresponds to the access to the FileWriter::write, FileWriter::truncate, FileWriterSync::write and FileWriterSync::truncate methods defined in the File Writer API [[!FILE-WRITER]].

In the Web browser environment, this permission is usually granted implicitly once the FileSaver object has been created, after the user has selected a path to which the data can be saved (e.g. through a “Save As” dialog).

System Information API

The deviceinfo identifier corresponds to the access to the data of the Power, CPU, Thermal, AVCodecs, Storage, OutputDevices, InputDevices properties available through the SystemInfo::get and SystemInfo::watch methods defined in the System Information API [[!SYSINFOAPI]].

The networkinfo identifier corresponds to the access to the data of the Network property available through the SystemInfo::get and SystemInfo::watch methods defined in the System Information API [[!SYSINFOAPI]].

The sensorinfo identifier corresponds to the access to the data of the AmbientLight, AmbientNoise, AmbientTemperature, AmbientAtmosphericPressure and Proximity properties available through the SystemInfo::get and SystemInfo::watch methods defined in the System Information API [[!SYSINFOAPI]].

In the Web browser environment, these permissions are usually granted through explicit user’s consent, and are retained for later access in the same session.

Mapping to BONDI features and Android permissions

This section maps the permissions defined in this document to BONDI 1.11 feature strings [[BONDI-FEATURES1-11]] and corresponding Android permissions.

BONDI 1.11 feature URIs are formed by appending the BONDI string to the base URI: http://bondi.omtp.org/api/1.1/.