HTTPS is good but it's not good enough for web api context because it only protects client-server communications.
Prompting the user is good but it's not good enough for web api context because users can't be fully informed by a one line prompt.
I was asked to help my mother in law with her PC. When I looked at the screen it was half covered by W10 notifications from web sites. I asked her, how do you use this. And she sad, I don't know how that happened and I don't know how to stop it. Of course she gave permission but she could not understand how bad web sites would abuse notifications so she couldn't make a fully informed decision . It was sad. I turned all off.
Now, developers will say that it's impossible to fully inform a user but when that's the case should we really push that anyway to the user?
Prompting the user is good but it's not good enough for web api context because users can't be fully informed by a one line prompt.
I was asked to help my mother in law with her PC. When I looked at the screen it was half covered by W10 notifications from web sites. I asked her, how do you use this. And she sad, I don't know how that happened and I don't know how to stop it. Of course she gave permission but she could not understand how bad web sites would abuse notifications so she couldn't make a fully informed decision . It was sad. I turned all off.
Now, developers will say that it's impossible to fully inform a user but when that's the case should we really push that anyway to the user?