- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Tue, 3 Sep 2013 16:10:31 +0100
- To: Harald Alvestrand <harald@alvestrand.no>
- Cc: "public-media-capture@w3.org" <public-media-capture@w3.org>
On Tue, Sep 3, 2013 at 2:37 PM, Harald Alvestrand <harald@alvestrand.no> wrote: > At the moment, permitting access to devices happens on a per-origin basis. Okay, so if we compare this to File that seems roughly equivalent. <input type=file> on one page doesn't necessarily give another page access to it. > If we permit mediastreams to cross origin boundaries, granting access to a > device effectively means that we've granted access to the device and > everything that piece of javascript shares the mediastream with (whether > it's by design, by accident, or because it's been attacked). This seems less clear. That the initial permission is per-origin makes sense. But that the origin is bound to the object is a new design tactic as far as I can tell and not employed elsewhere (although it was for a limited period for blob URLs until we decided that was wrong). That is, message channels, transferable objects, etc. are very much designed around capability-based security. > It's not necessarily wrong, but I think it's a different model than what > we've grappled with so far. Understood. I'd like to work through it, since it seems getting this consistent is important. And if there's indeed a problem with exposing things cross-origin they may very well apply to existing objects such as File. > (the whole question of "tainting" media with sharing restrictions is a > different question, also interesting.) I don't fully understand this scenario. -- http://annevankesteren.nl/
Received on Tuesday, 3 September 2013 15:10:58 UTC