Harmonize with WebAppSec Powerful Features Draft

[torgo]

Webappsec have a draft https://www.w3.org/TR/permissions/ which talks about some of the same things we talk about especially regarding access to powerful features... we should ensure tat we're aligned. This came to light in the discussions on w3ctag/design-reviews#928

[torgo]

Discussed today in TAG breakout and we agreed to work with WebAppSec folks to come up with a set of changes to both documents that harmonize these... /cc @marcoscaceres

[jyasskin]

The mention of powerful APIs in the design principles is in https://w3ctag.github.io/design-principles/#require-user-activation and says "Require user activation for powerful APIs". Permissions has an issue (w3c/permissions#194) and a PR (w3c/permissions#401) to make it easy to require a user gesture, but it's not the case that every permissioned feature will require a gesture. So our text should probably back off slightly to just say that "many" or "most" powerful APIs need a gesture.

@engedy may have input about the right thing to say here, or know who should comment.

[jyasskin]

@marcoscaceres, in the TAG breakout today, we think the ball is in your court to finish w3c/permissions#401, and then we should add a link from this document to Permissions once that's done.