I've been starting to wonder if it's worth having a mechanism to restrict access to APIs in CSP. A good example here is getUserMedia(), which allows access to the camera and microphone. It's going to be possible to set a persistent permission allowing an origin to access these devices, but you could imagine that a site might want to restrict that permission to specific pages. This could obviously be done with domain sharding, but that's gross... So, you could imagine a CSP directive like: forbid-function getUserMedia That would restrict access to getUserMedia. Other candidates here might be the webcrypto APIs to the extent to which they allow access to persistent origin-bound keys. 1. Does this sound like a plausible goal to people? 2. Any suggestions about the syntax? -EkrReceived on Friday, 2 November 2012 12:49:35 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 2 November 2012 12:49:35 GMT