Re: Proposed new text for noaccess from Eric Rescorla on 2013-10-27 (public-media-capture@w3.org from October 2013)

From: Eric Rescorla <ekr@rtfm.com>
Date: Sun, 27 Oct 2013 07:28:01 -0700
To: Stefan Håkansson LK <stefan.lk.hakansson@ericsson.com>
Cc: "public-webrtc@w3.org" <public-webrtc@w3.org>, "public-media-capture@w3.org" <public-media-capture@w3.org>
Message-ID: <CABcZeBMpiBdawAO1WSt_RjNMBZtp8KPxMeNBFjh_R63eqXcMNA@mail.gmail.com>

On Sun, Oct 27, 2013 at 4:20 AM, Stefan Håkansson LK <
stefan.lk.hakansson@ericsson.com> wrote:

> To me (and that perhaps says more about my lack of competence than this
> text) a lot is still unclear:
>

Hmmm...I think a lot of this follows directly from the constraint model,
so I'm reluctant to describe it for this particular constraint and not
others.



> * I think we need to elaborate a bit more of what "accessible to the
> content JS" means. Can you record (presumably not)?


No, because that's the content of the stream.



> Can you clone?
>

Yes, because you're just manipulating the handle.



> * It is also unclear if you can change an existing track from "noaccess"
> to normal (or vice versa).


Yes, because it's a constraint.


And if that is done, what will happen with
> illegal consumers?
>

That's what the discussion upthread between Harald, Martin, and I is
partly about.



> * Also unclear is when you can define "noaccess". Is it at gUM? Or at
> any time?
>

It's a constraint, so at any time.



> * Should there be any way for the app to check if a stream/track is
> "noaccess/identiTY"?
>

It's a constraint, so however constraints behave.



> * From the text below I understand that a "noaccess" stream/track can
> _not_ be sent over a PeerConnection. That should probably be said
> clearly (perhaps in the WebRTC draft).


Sure. I think it would be easier here.
I propose "Streams with noaccess constraint may not be added
to RTCPeerConnections. Any attempt to do so so results in
X" where X is the outcome of the upthread discussion.

-Ekr



>  Stefan
>
> On 26/10/13 16:37, Eric Rescorla wrote:
> > Harald pointed out that the noaccess text doesn't really work the way we
> > had in mind. Here
> > is my proposed new text. Note that the last paragraph is something we
> > haven't discussed
> > in detail, but I think is the right thing for what we want here.
> >
> >
> > When either the "noaccess" or "peerIdentity" constraints is applied to
> > a MediaStreamTrack, the track shall be isolated so that its content is
> > not accessible to the content JS. Either type of stream may be
> > Displayed in an appropriate tag (e.g., a video or audio element). The
> > video element must have a unique origin so that it is inaccessible to
> > the content JS. This is the same security mechanism as is used with an
> > ordinary audio or video element which has a src= property from a
> > separate origin.
> >
> > A stream with the peerIdentity constraint may also be used as the
> > argument to addStream() for a PeerConnection, subject to the
> > restrictions detailed in the WebRTC document.
> >
> > Browser implementations MAY choose to allow creation of "noaccess"
> > streams without an explicit permission prompt to the user. This allows
> > a mode where the JS does a "hair check" dialog for device selection
> > and then prompts the user prior to actually initiating the call by
> > re-setting the constraints.
> >
> >
> > -Ekr
> >
> >
>
>

Received on Sunday, 27 October 2013 14:29:10 UTC