Re: Extending createObjectUrl to MediaStream? from Harald Alvestrand on 2013-09-03 (public-media-capture@w3.org from September 2013)

From: Harald Alvestrand <harald@alvestrand.no>
Date: Tue, 03 Sep 2013 15:37:49 +0200
To: public-media-capture@w3.org
Message-ID: <5225E62D.5010603@alvestrand.no>

On 09/03/2013 03:20 PM, Anne van Kesteren wrote:
> On Tue, Sep 3, 2013 at 2:01 PM, Robert O'Callahan <robert@ocallahan.org> wrote:
>> Yes. For example there are plans to enable some kind of "private mode" for
>> WebRTC MediaStreams that protects stream contents from inspection by the
>> page. I don't know exactly how this is going to work, but if we allow
>> MediaStreams to span domains it may get more complicated.
> This scenario sounds very different from the one you outline next.
>
>
>> More concretely,
>> in Gecko we have experimental code to pipe HTML media element output into
>> MediaStreams, so we already tag MediaStream data with origin information,
>> but it's implemented in such a way that getUserMedia from one domain would
>> be restricted in another domain (the other domain could render it in a media
>> element, but it would be treated as cross-origin and thus would taint
>> canvases it's drawn into, for example).
> It's not clear why if as a page I decide to share the MediaStream
> object I would not want all of that to be shared as I could share all
> of that regardless, it'd just require more hoops to jump through.
>
>
>> I think it may make sense to provide cross-origin MediaStream transfer at
>> some point in the future, but I think we have more important things to work
>> on first.
> Again, what I'm trying to understand is why we have origin ties in the
> first place. So far no objects carry origin information in this
> regard.
>
>
At the moment, permitting access to devices happens on a per-origin basis.

If we permit mediastreams to cross origin boundaries, granting access to 
a device effectively means that we've granted access to the device and 
everything that piece of javascript shares the mediastream with (whether 
it's by design, by accident, or because it's been attacked).

It's not necessarily wrong, but I think it's a different model than what 
we've grappled with so far.

(the whole question of "tainting" media with sharing restrictions is a 
different question, also interesting.)

Received on Tuesday, 3 September 2013 13:38:22 UTC