Re: CfC: only allow authenticated origins to call getUserMedia from Martin Thomson on 2014-10-08 (public-media-capture@w3.org from October 2014)

From: Martin Thomson <martin.thomson@gmail.com>
Date: Tue, 7 Oct 2014 19:23:43 -0700
To: Cullen Jennings <fluffy@cisco.com>
Cc: public-media-capture@w3.org, Stefan Hakansson LK <stefan.lk.hakansson@ericsson.com>
Message-ID: <CABkgnnW4OzCnw2_DmOxmHrYUT216EUzVby1LPo+GCi-fqXHfCw@mail.gmail.com>

I think that this request is reasonable.

FWIW, I am ambivalent about this one. If we had gone out with something
from, or near, the start, it would have been easier. As it stands, security
of this comes down to an assessment of their network environment by users,
which is clearly not ideal, but nor is it the worst thing ever. There are
worse things, and any exposure is strictly limited.
On Oct 7, 2014 6:52 PM, "Cullen Jennings (fluffy)" <fluffy@cisco.com> wrote:

>
> I am asking the chairs to extend this consensus call to two weeks. Four
> days is not enough time for a consensus call. Many people are busy with
> other things and many of our participants clearly do not check this list on
> a daily basis.
>
>
> On Oct 6, 2014, at 11:35 PM, Stefan Håkansson LK <
> stefan.lk.hakansson@ericsson.com> wrote:
>
> > Following the recent discussion on the list, the Chairs detect that
> > there seems to be consensus to move to only allowing authenticated
> > origins (as defined in [1]) to use getUserMedia (both the callback and
> > Promise version).
> >
> > Please respond by Friday this week (Oct 10th) if you’re OK or Not OK
> > with this change (silence will be interpreted as being OK with it).
> >
> > Harald and Stefan
> >
> > [1]
> >
> https://w3c.github.io/webappsec/specs/mixedcontent/#is-origin-authenticated
> >
> >
>
>
>

Received on Wednesday, 8 October 2014 02:24:12 UTC