Re: Bug 23934 - Proposal: Always launch permission prompt to avoid leakage from Harald Alvestrand on 2013-12-11 (public-media-capture@w3.org from December 2013)

From: Harald Alvestrand <harald@alvestrand.no>
Date: Wed, 11 Dec 2013 12:23:48 +0100
To: public-media-capture@w3.org
Message-ID: <52A84B44.8040907@alvestrand.no>

On 12/11/2013 11:16 AM, Adam Bergkvist wrote:
> On 2013-12-10 02:26, Eric Rescorla wrote:
>> For the record, I am opposed to this entire piece of Jan-Ivar's 
>> proposal.
>>
>> As has been observed many times, there are plenty of opportunities
>> for fingerprinting and so going through these gyrations to make
>> it fractionally more difficult is silly.
>
> I think there's more to this than only protecting against fingerprinting.
>
> IMO, prompting for the getUserMedia() *request* itself, not only if 
> some devices survived the exclusion process have benefits.
>
> * More consistent behavior when no devices pass the constraints. When 
> this happens in our current model, the user can be presented with 
> anything from nothing, the app just halts, to a detailed explanation 
> of what went wrong; depending on how the app is programmed to handle 
> this case. You could argue that the app that does nothing is badly 
> written (and I agree), but if we can make users lives better even in 
> these cases I think we should.

In the case of an application written to offer the functionality when it 
can, and be silent about it when the functionality can't be offered, 
"nothing" is exactly what should happen.

I could easily argue that this is a decision the app should be allowed 
to make; I could also easily argue that an app that wants to do nothing 
should try to get all the information it gets from the "available 
devices" list - but then again, perhaps not all the information it needs 
is there.

>
> * We could offer alternative actions when no devices pass the constrains.

"We" as in "the browser", or as in "the application based on what the 
browser returns to it"?
Both are valid viewpoints. For various instances of "we", we are on both 
sides of that divide, so "we" is a term that we (sic) perhaps should be 
careful about using.

>
>  - Ask the user to connect a new device.
>
>  - Offer the user to select a media file that will act as a device 
> (This has been a use-case from very early on).
>
>  - Give the user the option to report, to the app, what went wrong so 
> it can explain in detail why you don't have the hardware required.
>
>  - Simply discard the prompt and don't expose anything to the app. 
> This is what you would do if a getUserMedia() prompt suddenly appeared 
> on a shady page.
>
> /Adam
>

Received on Wednesday, 11 December 2013 11:24:19 UTC