- From: ddorwin via GitHub <sysbot+gh@w3.org>
- Date: Wed, 07 Sep 2016 23:46:15 +0000
- To: public-html-media@w3.org
ddorwin has just created a new issue for https://github.com/w3c/encrypted-media: == "Provide per-origin user alerts / prompts and permissions" headings do not accurately reflect the content == Both the Security and Privacy sections have mitigations with the heading "**Provide per-origin user alerts / prompts and permissions**". The current heading could be interpreted as: 1. The mitigation is to provide alerts or permission prompts. 1. The mitigation is to ensure that any alerts, prompts, or permissions are per-origin. More importantly, both contain important requirements that extend beyond alerts, prompts, or permissions. The per origin (and per browsing profile) requirements in the following paragraph are an additional mitigation. Certainly those requirements must (#314) be per-origin, but that is not the most important mitigation in these sections. Specifically: * https://w3c.github.io/encrypted-media/#security-prompts says, "User agents SHOULD ensure that users are fully informed and/or give explicit consent before a Key System that presents security concerns that are greater than other user agent features (e.g. DOM content) may be accessed by an origin." * https://w3c.github.io/encrypted-media/#privacy-prompts says "User agents MUST ensure that users are fully informed and/or give explicit consent before using Distinctive Identifier(s) and Distinctive Permanent Identifier(s)." Please view or discuss this issue at https://github.com/w3c/encrypted-media/issues/315 using your GitHub account
Received on Wednesday, 7 September 2016 23:46:27 UTC