Re: Permission and the Device enumeration labels (Re: [Bug 22214] How long do permissions persist?) from Adam Bergkvist on 2014-06-04 (public-media-capture@w3.org from June 2014)

From: Adam Bergkvist <adam.bergkvist@ericsson.com>
Date: Wed, 4 Jun 2014 07:48:46 +0200
To: Harald Alvestrand <harald@alvestrand.no>, <public-media-capture@w3.org>
Message-ID: <538EB33E.1050000@ericsson.com>

On 2014-06-03 16:57, Harald Alvestrand wrote:
> I'm starting to think that dropping permissions for http users as early
> as possible is a reasonable thing to do..... I do have one outstanding
> problem, which is the device enumeration and the hidden labels.
>
> We decided long ago that:
>
> a) we don't want to expose device labels to the drive-by web
> b) we don't want a separate permissions prompt for getting device labels
> c) we're OK with exposing device labels to anyone who's already grabbed
> a device (which means that he's either passed a prompt or has a stored
> permission).
>
> Now, if an HTTP app wants to support the flow
>
> 1) Pick a camera
> 2) Take a photo
> 3) Repeat from 1) or end
>
> he has to open up a random device, enumerate labels, show the camera
> list, open up the camera, and hang on to his random device till the end.
>
> This seems clumsy, but it's the result of our previous decisions.
>
> We might want to consider a few alternatives, such as:
>
> - Make the "permission to view labels" sticky, even if "permission to
> open camera" is not. We're still protected from the drive-by web, but
> there's a new permission that just sticks around, which is kind of iffy.
> - Document explicitly that access to labels follows access to devices,
> so you have to do the "hang on to some device" trick to be able to
> re-enumerate cameras.
>
> I don't feel like we have an elegant set of properties here.....

There's no need to protect labels of devices that were in the list while 
the app had permission to enumerate labels. They are already leaked. The 
app could simply copy the info (label, deviceId) to a separate data 
structure.

But then we have labels for devices connected after the app released the 
permission to the last device. I think it would be ok to keep the label 
on devices the app has seen, but hide them for new devices until an 
other permission is granted. That way, nothing new is leaked and nothing 
the app had access to suddenly disappears.

/Adam

Received on Wednesday, 4 June 2014 05:49:12 UTC