- From: Stefan Håkansson LK <stefan.lk.hakansson@ericsson.com>
- Date: Tue, 3 Sep 2013 13:44:47 +0000
- To: Harald Alvestrand <harald@alvestrand.no>
- CC: "public-media-capture@w3.org" <public-media-capture@w3.org>
On 2013-09-03 15:38, Harald Alvestrand wrote: > On 09/03/2013 03:20 PM, Anne van Kesteren wrote: >> On Tue, Sep 3, 2013 at 2:01 PM, Robert O'Callahan <robert@ocallahan.org> wrote: >>> Yes. For example there are plans to enable some kind of "private mode" for >>> WebRTC MediaStreams that protects stream contents from inspection by the >>> page. I don't know exactly how this is going to work, but if we allow >>> MediaStreams to span domains it may get more complicated. >> This scenario sounds very different from the one you outline next. >> >> >>> More concretely, >>> in Gecko we have experimental code to pipe HTML media element output into >>> MediaStreams, so we already tag MediaStream data with origin information, >>> but it's implemented in such a way that getUserMedia from one domain would >>> be restricted in another domain (the other domain could render it in a media >>> element, but it would be treated as cross-origin and thus would taint >>> canvases it's drawn into, for example). >> It's not clear why if as a page I decide to share the MediaStream >> object I would not want all of that to be shared as I could share all >> of that regardless, it'd just require more hoops to jump through. >> >> >>> I think it may make sense to provide cross-origin MediaStream transfer at >>> some point in the future, but I think we have more important things to work >>> on first. >> Again, what I'm trying to understand is why we have origin ties in the >> first place. So far no objects carry origin information in this >> regard. >> >> > At the moment, permitting access to devices happens on a per-origin basis. > > If we permit mediastreams to cross origin boundaries, granting access to > a device effectively means that we've granted access to the device and > everything that piece of javascript shares the mediastream with (whether > it's by design, by accident, or because it's been attacked). Yes. But trusting the app that requests access to devices to do no harm is already in the model. It could record and send wherever, open a PeerConnection and stream to anyone etc. Trusting it to not transfer a MediaStream object to an evil app (from another domain) adds very little attack surface IMO. > > It's not necessarily wrong, but I think it's a different model than what > we've grappled with so far. > > (the whole question of "tainting" media with sharing restrictions is a > different question, also interesting.) > > >
Received on Tuesday, 3 September 2013 13:45:12 UTC