tauri icon indicating copy to clipboard operation
tauri copied to clipboard
verified publisher icon tauri-apps

Allow developers to implement their own Permission Prompts

Open 9ParsonsB opened this issue 4 years ago • 1 comments

Is your feature request related to a problem? Please describe. I am developing an application which is opened via another application. When my application is launched it connects to a WebRTC connection and attempts to share the screen using navigator.mediaDevices.getUserMedia. This is required to be done with zero user interaction.

Describe the solution you'd like A method for developers to override the permissions dialog, to enable to show our own prompts or other custom logic. e.g. a config flag, per permission(?), to expose events to both JS and Rust for when the application requires/requests permissions

Describe alternatives you've considered Electron already does this but it is opt-out, meaning that no dialogs are shown for any permission requests - very bad for security

Additional context definitely needs to be an opt-in so that the user is prompted in default configuration See Electron GH issues above for more context

Related: tauri-apps/wry#81

9ParsonsB avatar Jul 29 '21 06:07 9ParsonsB

My understanding is that Tauri addresses the security issue differently from Electron: Capabilities reachable from the UI are statically restricted through the tauri.conf.json manifest. This acts as damage control for compromised UIs such as through an XSS attack.

Tauri also asks for permission (soft prompts) for notifications, sound, camera etc. This is not a security feature, but rather just respectful UX and sensible defaults. It would be trivial for a malicious developer to bypass these - and there's very little Tauri can do since sandboxing on desktop OSs is very limited. Am I understanding this correctly? Is there some additional complexity around the HTML5 JS APIs that I left out?

In either case, I think it largely makes sense to be able to override these soft prompts:

  • It's difficult to achieve consensus on the consent criteria and what constitutes best practice.
  • Apps are not created equal. For instance, a sound/video app that asks for consent for playing media would be nuisance-only.
  • The OS sometimes provides its own prompt. I've seen MacOS ask for notification permissions - this could result in duplicate notifications – as well as confusion about where to find the relevant settings.
  • The app could provide it's own user-space permission UI. For instance, it's quite common to provide more fine-grained notification controls for e.g. chat apps.

Lastly, alert fatigue is a real thing. Prompts are not cost-free, particularly (1) for less technical users and (2) on first use when their attention is already saturated.

betamos avatar May 30 '22 13:05 betamos