Permission and the Device enumeration labels (Re: [Bug 22214] How long do permissions persist?) from Harald Alvestrand on 2014-06-03 (public-media-capture@w3.org from June 2014)

From: Harald Alvestrand <harald@alvestrand.no>
Date: Tue, 03 Jun 2014 16:57:28 +0200
To: public-media-capture@w3.org
Message-ID: <538DE258.1080602@alvestrand.no>

I'm starting to think that dropping permissions for http users as early 
as possible is a reasonable thing to do..... I do have one outstanding 
problem, which is the device enumeration and the hidden labels.

We decided long ago that:

a) we don't want to expose device labels to the drive-by web
b) we don't want a separate permissions prompt for getting device labels
c) we're OK with exposing device labels to anyone who's already grabbed 
a device (which means that he's either passed a prompt or has a stored 
permission).

Now, if an HTTP app wants to support the flow

1) Pick a camera
2) Take a photo
3) Repeat from 1) or end

he has to open up a random device, enumerate labels, show the camera 
list, open up the camera, and hang on to his random device till the end.

This seems clumsy, but it's the result of our previous decisions.

We might want to consider a few alternatives, such as:

- Make the "permission to view labels" sticky, even if "permission to 
open camera" is not. We're still protected from the drive-by web, but 
there's a new permission that just sticks around, which is kind of iffy.
- Document explicitly that access to labels follows access to devices, 
so you have to do the "hang on to some device" trick to be able to 
re-enumerate cameras.

I don't feel like we have an elegant set of properties here.....

On 06/03/2014 02:11 AM, Eric Rescorla wrote:
>
>
>
> On Mon, Jun 2, 2014 at 4:46 PM, cowwoc <cowwoc@bbs.darktech.org 
> <mailto:cowwoc@bbs.darktech.org>> wrote:
>
>     On 02/06/2014 6:22 PM, Martin Thomson wrote:
>
>         On 2 June 2014 15:19, cowwoc <cowwoc@bbs.darktech.org
>         <mailto:cowwoc@bbs.darktech.org>> wrote:
>
>             I'll flip this on its head: why do you want to deny
>             permissions when the
>             page is reloaded? What are you protecting the user from? :)
>
>         You.  And everyone like you who think that the camera is theirs.
>
>
>     Again, what attack vector are you actually protecting the user from?
>
>
> This is covered extensively in the security drafts.
>
>
>     This is equivalent to asking users of gmail.com <http://gmail.com>
>     to re-authenticate every time they navigate to a different email
>     or reload the page. It's just silly and not grounded in security.
>
>
> If you want to not have that, then use HTTPS and ask for persistent
> permissions.
>
> -Ekr
>
>     We're building software for human beings, not machines! :)
>
>     Gili
>
>

Received on Tuesday, 3 June 2014 14:58:06 UTC