[mediacapture-main] Camera light and "disabled"

alvestrand has just created a new issue for 
https://github.com/w3c/mediacapture-main:

== Camera light and "disabled" ==
In current implementations, we mainly use the camera light as an 
"on-air" indicator.

At the moment, the spec says:

Turning on:
If the result of the request is "granted", User Agents are encouraged 
to include a prominent indicator that the devices are "hot" (i.e. an 
"on-air" or "recording" indicator), as well as a "device accessible" 
indicator indicating that the page has been granted access to the 
source.

Turning off:
A script can indicate that a MediaStreamTrack object no longer needs 
its source with the stop() method. When all tracks using a source have
 been stopped or ended by some other means, the source is 
stopped...... If the data is being generated from a live source (e.g.,
 a microphone or camera), then the User Agent should remove any active
 "on-air" indicator for that source.

Disabling:
A muted or disabled MediaStreamTrack renders either silence (audio), 
black frames (video), or a zero-information-content equivalent. For 
example, a video element sourced by a muted or disabled 
MediaStreamTrack (contained within a MediaStream ), is playing but the
 rendered content is the muted output. When all tracks connected to a 
source are muted or disabled, the "on-air" or "recording" indicator 
for that source can be turned off; when the track is no longer muted 
or disabled, it must be turned back on.

Disabling is a Javascript-controllable function, using the "enabled" 
attribute of a track.

(Note that it says "can be turned off" and "must be turned back on" - 
so keeping the light on is legal.)

Two worries with this wording:

- Privacy: Disabling the track and having the light go out leads to a 
malicious application being able to turn on the camera briefly to take
 a picture at any later time, possibly without the user noticing 
because the indicator flash is so brief.
- Practicality: For a certain class of drivers, turning the light off 
means closing the camera. Re-opening the camera will take significant 
cycles, and having the camera device released means losing what little
 guard we have against some other app stealing the camera while it's 
closed.

Suggestion: Change the language in the third quote above to read:

"When all tracks connected to a source are muted, the "on-air" or 
"recording" indicator for that source can be turned off; when the 
track is no longer muted, it must be turned back on.
When the track is disabled, but not muted, the "on-air" or "recording"
 indicator should still be on, to indicate that the device is still 
available to the application at any time."

Thoughts?




Please view or discuss this issue at 
https://github.com/w3c/mediacapture-main/issues/389 using your GitHub 
account

Received on Thursday, 1 September 2016 09:36:28 UTC