- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Wed, 10 Sep 2014 10:16:27 +0200
- To: Stefan HÃ¥kansson LK <stefan.lk.hakansson@ericsson.com>
- Cc: "public-media-capture@w3.org" <public-media-capture@w3.org>
On Wed, Sep 10, 2014 at 10:07 AM, Stefan HÃ¥kansson LK <stefan.lk.hakansson@ericsson.com> wrote: > On 08/09/14 19:25, Anne van Kesteren wrote: >> Is it true that the only reason we are not requiring an authenticated >> origin for getUserMedia() is that it might break tests or demos? Tests >> or demos do not usually influence design choices. > > No, I don't think that is true at all, in fact I do not remember that > tests were mentioned at all as a reason when the design was made. So it was because of demos? > Allowing plain http domains to ask for access to media devices is > discussed a lot in, including API and UI requirements. Specifically > it is said that > > "Implementations MAY also opt to refuse all permissions grants for HTTP > origins, but it is RECOMMENDED that currently they support one-time > camera/microphone access." Why is this not part of the API document? And why is this the recommendation? E.g. things like http://tools.ietf.org/html/draft-ietf-rtcweb-security-arch-10#section-5.1 would be much better if they were defined as part of the API in terms of https://w3c.github.io/webappsec/specs/mixedcontent/ terminology. -- http://annevankesteren.nl/
Received on Wednesday, 10 September 2014 08:16:56 UTC