Re: getUserMedia() and authenticated origins from Shwetank Dixit on 2014-10-03 (public-media-capture@w3.org from October 2014)

From: Shwetank Dixit <shwetankd@opera.com>
Date: Fri, 3 Oct 2014 20:17:55 +0530
To: Anne van Kesteren <annevk@annevk.nl>
Cc: "public-media-capture@w3.org" <public-media-capture@w3.org>
Message-ID: <CAERMemdY2vSD1D-px0iuJUpLCFNhn+LzBvnwP7MRE_2txEexOQ@mail.gmail.com>

On Mon, Sep 29, 2014 at 5:04 PM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Wed, Sep 10, 2014 at 3:32 PM, Shwetank Dixit <shwetankd@opera.com>
> wrote:
> > To add to the point, someone can make an app using gUM without even
> > involving any other part of WebRTC (like peerconnection or datachannels)
> ...
> > so, a gUM app doesn't always have to be about *communication*.
> Considering
> > such cases, I think it's fair to allow it to be using http.
>
> Given that operators are not afraid of injecting content into HTTP,
> what would stop such an injection from sharing data made available
> from getUserMedia()?
>

Nothing. You're right, it can still be MITM'd .... I think I'll have to
revise my original position and support HTTPS-only for gUM and other such
privacy sensitive APIs.


>
> --
> https://annevankesteren.nl/
>



-- 
Shwetank Dixit
Web Evangelist,
Web Standards Team,
Opera Software - www.opera.com

Received on Friday, 3 October 2014 14:48:43 UTC