W3C home > Mailing lists > Public > public-media-capture@w3.org > August 2014

Re: [Bug 25809] Security issue: Abuse of "call me" URLs

From: Martin Thomson <martin.thomson@gmail.com>
Date: Thu, 28 Aug 2014 14:28:56 -0700
Message-ID: <CABkgnnWtesUf0uWQo1pnE05-78nhDYae0TjPiyR_1kLQVUaLYw@mail.gmail.com>
To: Harald Alvestrand <harald@alvestrand.no>
Cc: "public-media-capture@w3.org" <public-media-capture@w3.org>
On 28 August 2014 03:24, Harald Alvestrand <harald@alvestrand.no> wrote:
>> We could for instance prevent getUserMedia from operating without an
>> "engagement gesture" (see
>> https://dvcs.w3.org/hg/pointerlock/raw-file/default/index.html#glossary
>> ).
>
> I'm hesitant to go that route. This would add an extra activation step
> to pages whose only purpose is to send video - for instance, it would
> require an engagement gesture before starting the video on
> apprtc.appspot.com.


I find this tempting, despite the costs here.  The permissions prompt
is a popup of a sort, so applying the same protection makes a great
deal of sense.  It's obviously a non-issue on sites where permissions
are persisted, so I'm inclined quite favourably toward this.

The other suggestions, less so.  Enhancing CSP might be a good idea to
cover this, rather than the sandboxing stuff.  I have CSP folks within
spitting distance, so I'll ask.  The question of WebRTC as a whole is
probably more interesting in this regard.
Received on Thursday, 28 August 2014 21:29:25 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 16:26:29 UTC