W3C home > Mailing lists > Public > public-media-capture@w3.org > October 2014

getUserMedia() and authenticated origins #2

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 1 Oct 2014 18:05:55 +0200
Message-ID: <CADnb78hKo53cHhUzy9gJDx4U=UC-zsH3h3=Bw27eAZR5Y3MzYQ@mail.gmail.com>
To: "public-media-capture@w3.org" <public-media-capture@w3.org>
Cc: Chris Palmer <palmer@google.com>

1) User visits http://example.invalid/ which hosts a audio/video effects service

2) example.invalid requests access to camera and microphone

3) User grants access to example.invalid.

Attack: As the code from example.invalid is not from an authenticated
origin an attacker could have inserted code that takes the output from
the camera and microphone and transmits it towards evil.invalid,
unbeknownst to the user.

The user is probably not aware their privacy could be compromised in
this manner.

Arguments made in the previous thread plus counter arguments:

A) Geolocation does it too. I think that geolocation set a bad
precedent that we should not follow. I raised this issue with the
geolocation WG and so far they seem to agree with my assessment.
They're looking into their options to improve the situation.

B) <input type=file> does it too. I suspect that were we to invent
this feature today we would more strongly consider requiring an
authenticated origin. However, in comparison <input type=file> is far
less invasive than sharing everything that happens in your current
environment in real time. (The <input type=file> case mentioned was
uploading an avatar. I think anything with user accounts must use TLS
as users are likely to reuse passwords even though we all know that's
bad. Hosting something with user accounts while not using TLS is

Basically, new features should be hold to a higher bar than past
features. I also discovered that getUserMedia() is still prefixed in
Firefox Nightly, so there seems to be ample room for communicating
this change to developers and providing an upgrade path. Thanks to
Cloudflare it also seems easier than ever to get an authenticated

Received on Wednesday, 1 October 2014 16:06:25 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:24:50 UTC