I know that GeoLocating requires elevated trust from the user in order to get the location.
Is that part of the standard? Is the trust level elevation part of the standard? Which features requires user permission? do i need to give permission for each feature seperately? or is it "trust-mode" on/off ? can the website keep the permission? or is it just per session?
I'm just starting to get ino HTML 5 myself, so I am going to try to answer as best I can. From what I understand it is not necessarily an "elevated trust" (sounds alot like Microsoft UAC term). Its more of a "granting of permission" for a site to access the user's location.
W3C - http://dev.w3.org/geo/api/spec-source.html#security
The API defined in this specification is used to retrieve the geographic location of a hosting device. In almost all cases, this information also discloses the location of the user of the device, thereby potentially compromising the user's privacy. A conforming implementation of this specification must provide a mechanism that protects the user's privacy and this mechanism should ensure that no location information is made available through this API without the user's express permission.
The way each browser implements this is up to the browser maker (ie google, microsoft, mozilla). For instance chrome will ask for permission for a domain and save that domain in a list of sites that can access the geo location feature. This works in the same way a pop up blocker has a list websites that are ok to "allow pop ups from".
So, I guess its hard to answer your question becuase it depends on the browswer and how those features are implemented.
Is that part of the standard? Is the trust level elevation part of the standard?
Kind of, yea. The standard says to implement some kind of a mechanism.
Which features requires user permission?
Sorry can't say for certain regarding this becuase I am not familiar enough will all the features of the standard. But I am pretty sure that access hardward like camera will be included in this list.
Do i need to give permission for each feature seperately? or is it "trust-mode" on/off?
I would think so, but this again will depend on the browswer makers "implementation" of the standards.
Can the website keep the permission? or is it just per session?
This would also depend on the browser, I can tell you that Chrome keeps a list once permission is granted (at least for geo location). You can then remove the permission later. I am not sure if they it is the same for other features with crhome.
Hope it helps.