Re: Comments/Questions on Media Capture Streams – Privacy and Security Considerations

On Fri, Oct 23, 2015 at 8:07 PM, Nick Doty <npdoty@w3.org> wrote:

>
> "when the page is secure"
>
>
> "secure" is a word that often gets defined in different ways. Would it be
> more precise to refer to "privileged contexts"?
> http://www.w3.org/TR/powerful-features/#settings-privileged
>
> Not persisting permissions in such settings is a good base-line
> requirement. Section 10.6 states that persistent permissions must be be
> served over HTTPS and have no mixed content. It would be nice to see the
> definition of mixed content expanded to include the various issues
> mentioned in Bonneau's recent paper[1]. For example, if a site elects to
> use pinning, it should be considered to have mixed content if it loads
> non-pinned content.
>
> [1] http://www.jbonneau.com/doc/KB15-NDSS-hsts_pinning_survey.pdf
>
> [Note: This last point is perhaps also relevant to
> http://www.w3.org/TR/mixed-content/]
>
>
> We refer to https://www.w3.org/TR/mixed-content/ - we do not want to
> redefine the concept in this document, believing that this would only cause
> confusion for implementors.
> If mixed-content needs updating, then that is the proper place to fix the
> issue.
>
>
> Joe and Greg, I believe you had identified this particular concern and
> connection to the Bonneau paper. Can we check whether the problem needs to
> be addressed in the Mixed Content, this spec, both or neither?
>
>
I think this is more a Mixed Content 2.0 issue (as in a future update to
Mixed Content that would try to get more granular about security states and
transitions between them.)

-- 
Joseph Lorenzo Hall
Chief Technologist
Center for Democracy & Technology
1634 I ST NW STE 1100
Washington DC 20006-4011
(p) 202-407-8825
(f) 202-637-0968
joe@cdt.org
PGP: https://josephhall.org/gpg-key
fingerprint: 3CA2 8D7B 9F6D DBD3 4B10  1607 5F86 6987 40A9 A871