- From: François Daoust via GitHub <sysbot+gh@w3.org>
- Date: Thu, 28 May 2015 16:45:14 +0000
- To: public-secondscreen@w3.org
I took an action to investigate possible spec adjustments that would be needed for that issue, if any. In the end, I do not think that there needs to be any normative adjustment to the spec to enable the use case if we drop the `presentationId` from `startSession` as agreed as part of the discussion on issue #39 (Resumption of multiple sessions). When a user loads a Web page on a user agent that can act as a presenting user agent, the user agent may automatically allow external devices to connect to that Web page using the Presentation API. The Web page may ignore all incoming messages if it does not want to become a presenting page, otherwise it can listen to the `sessionavailable` event on `navigator.presentation` to be notified when an external user agent connects to it, as agreed to resolve issue #19 (Specify behavior when multiple controlling pages are connected to the session). As noted in a previous comment, for the user agent to be able to turn a Web page into a presentation session, the Web page would already need to run in the right private browsing mode. In summary, to resolve the issue, I would propose to: 1. add a statement along the lines of "A presenting user agent MAY expose any Web page it loads in a private browsing context as a presenting browsing context" to make it clear that this is an acceptable behavior; and 2. complete the spec with informative guidelines on the implications of what "exposing" may entail when we have a clearer picture. I'm using "private browsing context" here to mean the restricted context that the spec is likely going to mandate on presenting user agents. There is one privacy question that remains but it also applies to the multiple controlling pages case: how can an external user agent know that there is a presentation session running on the presenting user agent for that URL? Will the presenting user agent advertise the URL on the local network for instance? The charter notes that the mechanism by which other user agents become authorized is out of scope. As with security considerations, we may still need to write implementation guidelines once we have practical experience on the topic to ensure that implementers understand possible implications. @mfoltzgoogle, @avayvod: Who can tell which URL is currently loaded in Chromecast? Everyone on the local network? Only paired devices? -- GitHub Notif of comment by tidoust See https://github.com/w3c/presentation-api/issues/32#issuecomment-106478813
Received on Thursday, 28 May 2015 16:45:19 UTC