[encrypted-media] "Provide per-origin user alerts / prompts and permissions" headings do not accurately reflect the content

ddorwin has just created a new issue for 
https://github.com/w3c/encrypted-media:

== "Provide per-origin user alerts / prompts and permissions" headings
 do not accurately reflect the content ==
Both the Security and Privacy sections have mitigations with the 
heading "**Provide per-origin user alerts / prompts and 
permissions**".

The current heading could be interpreted as:
 1. The mitigation is to provide alerts or permission prompts.
 1. The mitigation is to ensure that any alerts, prompts, or 
permissions are per-origin.

More importantly, both contain important requirements that extend 
beyond alerts, prompts, or permissions. The per origin (and per 
browsing profile) requirements in the following paragraph are an 
additional mitigation. Certainly those requirements must (#314) be 
per-origin, but that is not the most important mitigation in these 
sections.

Specifically:
* https://w3c.github.io/encrypted-media/#security-prompts says, "User 
agents SHOULD ensure that users are fully informed and/or give 
explicit consent before a Key System that presents security concerns 
that are greater than other user agent features (e.g. DOM content) may
 be accessed by an origin."
* https://w3c.github.io/encrypted-media/#privacy-prompts says "User 
agents MUST ensure that users are fully informed and/or give explicit 
consent before using Distinctive Identifier(s) and Distinctive 
Permanent Identifier(s)."


Please view or discuss this issue at 
https://github.com/w3c/encrypted-media/issues/315 using your GitHub 
account

Received on Wednesday, 7 September 2016 23:46:27 UTC