- From: Eric Rescorla <ekr@rtfm.com>
- Date: Mon, 2 Jun 2014 09:28:48 -0700
- To: cowwoc <cowwoc@bbs.darktech.org>
- Cc: "public-media-capture@w3.org" <public-media-capture@w3.org>
- Message-ID: <CABcZeBPASrPXEj0E-u8Uf=vMzkT4FTBxtptt2LPqd4ah_2m3pA@mail.gmail.com>
On Mon, Jun 2, 2014 at 9:19 AM, cowwoc <cowwoc@bbs.darktech.org> wrote: > On 02/06/2014 11:51 AM, Eric Rescorla wrote: > > > > > On Mon, Jun 2, 2014 at 8:39 AM, Harald Alvestrand <harald@alvestrand.no> > wrote: > >> On 06/02/2014 01:27 PM, Eric Rescorla wrote: >> >> >> >> >> On Sun, Jun 1, 2014 at 11:13 PM, Harald Alvestrand <harald@alvestrand.no> >> wrote: >> >>> On 06/02/2014 05:04 AM, Eric Rescorla wrote: >>> >>> >>> >>> >>> On Tue, May 27, 2014 at 1:32 PM, Martin Thomson < >>> martin.thomson@gmail.com> wrote: >>> >>>> On 27 May 2014 12:33, Harald Alvestrand <harald@alvestrand.no> wrote: >>>> > The discussion I heard at the Media Capture TF meeting was >>>> approximately >>>> > between two alternatives: >>>> > >>>> > 1) Permission persists until the device is released by all tracks >>>> sourced >>>> > from it. >>>> > >>>> > 2) Permission persists until the page is closed. (This may allow >>>> permissions >>>> > to survive a page reload.) >>>> >>>> The way we communicate with users is with indicators. From that >>>> perspective, either approach works. >>>> >>>> I tend to prefer the former. In the case where an application is >>>> granted access to camera 1, we don't want to also enable access to >>>> camera 2. I think that the latter implies a greater scope to consent >>>> than a single one-off interaction. >>>> >>>> I'd also like to keep this open to a degree of interpretation. Not >>>> all browsers will reach the same conclusions. Already, Chrome and >>>> Firefox are demonstrably different and I think that the current >>>> variation is within reasonable bounds. >>>> >>> >>> #2 seems to clearly violate the requirement that we only allow >>> persistent permissions when the page is loaded over HTTPS. >>> There are plenty of long-lived HTTP pages and it's not at all >>> OK to have them involve a long-lived permission after the >>> camera is closed. >>> >>> >>> That depends on the definition of "long-lived"; the interpretation I >>> had earlier was "long-lived" = "survives navigating away and coming back". >>> >> >> And how is that different from "persistent"? >> >> >> Sorry, I spoke confusingly - I've been using "long-lived" as a synonym >> for "persistent", so I was a bit confused when trying to parse your comment >> on #2. >> >> back to your comment: I still want to understand this - given that we are >> showing an indication as long as permissions persist, why do you say "it's >> not at all OK to have them involve a long-lived permission"? >> > > Well, for starters because we have had strong consensus on this point in > the IETF security document since 2012: > > http://tools.ietf.org/html/draft-ietf-rtcweb-security-arch-09#section-5.2 > > Because HTTP origins cannot be securely established against network > attackers, implementations MUST NOT allow the setting of permanent > access permissions for HTTP origins. Implementations MAY also opt to > refuse all permissions grants for HTTP origins, but it is RECOMMENDED > that currently they support one-time camera/microphone access. > > Any change to this will require consensus in the IETF RTCWEB WG. > > From a technical perspective, the available user interface research > > strongly indicates that users are banner-blind (and of course these > > indicators are often hidden in mobile applications), so I expect them > > to immediately forget that they have granted permissions to this > > page. Effectively you have made it impossible to grant one-time > > permissions and know with any real certainty that the site has > > relinquished access to the device. > > > > Our recent Google-internal discussion about "reload" involves the >>> realization that reloading a HTTP resource doesn't seem to invite any >>> attack that couldn't be performed against the original connection - which >>> seems to indicate that while it's an expansion of the attack surface, it's >>> a small one. >>> >>> The argument in favour of "reload" is that users have been taught for a >>> while by state-keeping applicatios that "if anything goes wrong, hit reload >>> and it will sort itself out" - and inserting a new permission prompt in >>> that flow disrupts that illusion. >>> >> >> I'd like to see a precise description of what you're proposing here. >> >> >> I find it easiest to describe the proposal in terms of the sequence of >> things I want to happen: >> >> <http page loads> >> getUserMedia() -> user prompt >> stream is returned via success callback >> stream is closed >> >> getUserMedia() -> no user prompt >> stream is returned via success callback (connected to device(s) for which >> permission was granted) >> > > Yes, I already object to this. This is at the heart of the distinction > between persistent > permissions and temporary permissions. Pages which want to do this should > be > hosted over HTTPS and ask for persistent permissions. > > -Ekr > > >> <http page reloads> >> getUserMedia() -> no user prompt >> stream is returned via success callback (connected to device(s) for which >> permission was granted) >> >> <another http page loads> >> getUserMedia() -> user prompt >> >> Is there a scenario not described here that matters? >> >> > Excuse me for jumping into the middle of this discussion, but... if an > application uses HTTPS with a certificate that covers multiple sub-domains > and the user grants permission to one of them, does the permission extend > over the same scope of the certificate (all sub-domains) or only the > initial (sub-)domain? > It's scoped to Web origin. http://tools.ietf.org/html/rfc6454 -Ekr
Received on Monday, 2 June 2014 16:29:57 UTC