Re: WebRTC Security Assessment

On Thu, Nov 27, 2014 at 10:56 AM, Bert Bos <bert@w3.org> wrote:
>
> Jan-Ivar Bruaroey wrote:
> > On 11/13/14, 2:17 PM, Stephen Farrell wrote:
> > > It's in the nature of this kind of project/report that it's
> > > developed over an extended period so with a fast-moving area
> > > like this it's not a surprise that stuff gets outdated. We're
> > > in any case happy to fix that.
> >
> > With respect to the permissions Randell mentions, Firefox never worked
> > the way the report claims, which make the claims wrong, not outdated.
> >
> > I agree it's OK to be wrong and fix things, but that's different from
> > claiming it used to be right.
>
> I wrote the original text on which the section about camera permissions in
> the STREWS report[1] (section 3.2) is based. Checking my notes, it appears
> it was in December 2013. I may of course have misinterpreted what I
> observed, but I was pretty careful.
>
> I didn't find an option in Firefox to set permissions permanently for a
> given site or URL. Firefox also didn't distinguish between HTTP and HTTPS
> connections, as Chrome did (which is probably a good thing, in terms of
> user
> interface, but that aside).


Firefox 28 did not offer permanent permissions at all, whether
for HTTP to HTTPS, so what distinction would you have us draw?


> And I didn't find a way to revoke permissions,
> other than by closing the browser window. It is possible that closing just
> the tab would have been enough. (I didn't have other tabs open so I didn't
> try that.) But I found no button or menu anywhere in the browser to stop
> the
> camera.
>

To the best of my knowledge, it has *never* been the case that you had
to close the browser. Closing the browser tab or navigating away are
sufficient.

In future, you should feel free to contact me with questions of this type;
I would be more than happy to arrange for someone to verify your
conclusions about the behavior of Firefox.

-Ekr