- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Mon, 28 Apr 2014 12:00:50 -0700
- To: "public-media-capture@w3.org" <public-media-capture@w3.org>
On 28 April 2014 11:52, Martin Thomson <martin.thomson@gmail.com> wrote: > We talked in the past about forbidding the persistence of permissions > for non-secure origins (e.g., http://example.com). > > I know that we've talked about this on numerous occasions and we seem > to have had agreement, but I can't find any record of it in the spec. In the interests of forward progress, how about: User agents MUST NOT rely on persisted permissions for origins that are not strongly authenticated, such as "http" origins. Such origins can be trivially spoofed by a network attacker, which could be exploited to gain access to media devices. Throw in there anywhere. Maybe in with Harald's newly proposed security/privacy considerations.
Received on Monday, 28 April 2014 19:01:17 UTC