[mediacapture-main] PING: Document tradeoff for non-HTTPS usage of getUserMedia from Harald Alvestrand via GitHub on 2015-09-21 (public-media-capture-logs@w3.org from September 2015)

From: Harald Alvestrand via GitHub <sysbot+gh@w3.org>
Date: Mon, 21 Sep 2015 09:59:59 +0000
To: public-media-capture-logs@w3.org
Message-ID: <issues.opened-107479842-1442829599-sysbot+gh@w3.org>

alvestrand has just created a new issue for 
https://github.com/w3c/mediacapture-main:

== PING: Document tradeoff for non-HTTPS usage of getUserMedia ==
>From Nick Doty's mail on behalf of PING:

"You've heard from the TAG already about whether use of the API ever 
makes sense in unprivileged contexts. That is, when the user is asked 
for permission to access their camera, do they understand that they're
 granting this permission to all network attackers as well as the site
 they think they're talking to? I suspect this PING email thread is 
not going to change your minds about that already discussed topic. 
However, it would be worthwhile to note this security threat in the 
security considerations section and to note for user agent 
implementers the difficulty for this permission prompt."

This does not suggest a technical change in when getUserMedia is 
permitted, but does suggest that section 13 (security and privacy) 
should have some text explaining the reasoning behind the current 
spec.


See https://github.com/w3c/mediacapture-main/issues/249

Received on Monday, 21 September 2015 10:00:02 UTC