prevent spoofing

[matthiasclasen]

Bastien pointed out that with portal ui being just GTK+ windows, applications can try to trick users into giving them data by presenting windows that look like portal dialogs but aren't. We should look if we can get the compositor to provide some treatment for those windows that is hard to reproduce from inside the sandbox.

[matthiasclasen]

Some further discussion on #gnome-design seems to point towards using shell dialogs for simple things that are explicitly about access, like this:

https://raw.githubusercontent.com/gnome-design-team/gnome-mockups/master/shell/access-control/camera-microphone-dialogs.png

while sticking to gtk dialogs for complex things that are more about selection, like the file chooser, or this: https://wiki.gnome.org/Design/OS/ContentSelection#Tentative_Design

[matthiasclasen]

Another spoofing concern is that if we make the button labels settable by the application, a malicious app could swap cancel and ok.

[matthiasclasen]

from irc discussion, we'll stop making the cancel label settable

[matthiasclasen]

This is now done: cancel_label no longer settable.