W3C home > Mailing lists > Public > public-media-capture@w3.org > April 2014

Re: gUM and persistent permissions

From: Martin Thomson <martin.thomson@gmail.com>
Date: Mon, 28 Apr 2014 12:00:50 -0700
Message-ID: <CABkgnnU--z=yZu54J9L8t-tokjCqQTwCtO5W7bVrCH5LxHkY7Q@mail.gmail.com>
To: "public-media-capture@w3.org" <public-media-capture@w3.org>
On 28 April 2014 11:52, Martin Thomson <martin.thomson@gmail.com> wrote:
> We talked in the past about forbidding the persistence of permissions
> for non-secure origins (e.g., http://example.com).
>
> I know that we've talked about this on numerous occasions and we seem
> to have had agreement, but I can't find any record of it in the spec.

In the interests of forward progress, how about:

User agents MUST NOT rely on persisted permissions for origins that
are not strongly authenticated, such as "http" origins.  Such origins
can be trivially spoofed by a network attacker, which could be
exploited to gain access to media devices.

Throw in there anywhere.  Maybe in with Harald's newly proposed
security/privacy considerations.
Received on Monday, 28 April 2014 19:01:17 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 16:26:26 UTC