- From: Stefan Håkansson LK <stefan.lk.hakansson@ericsson.com>
- Date: Sat, 4 Oct 2014 12:38:30 +0000
- To: Anne van Kesteren <annevk@annevk.nl>, Mike West <mkwst@google.com>
- CC: "public-media-capture@w3.org" <public-media-capture@w3.org>, Chris Palmer <palmer@google.com>
On 04/10/14 14:34, Anne van Kesteren wrote: > On Sat, Oct 4, 2014 at 1:55 PM, Stefan Håkansson LK > <stefan.lk.hakansson@ericsson.com> wrote: >> is you proposal that gUM should only be possible for authenticated >> origins as defined in >> https://w3c.github.io/webappsec/specs/mixedcontent/#is-origin-authenticated? >> >> So far I think we've in this work only talked about http and https, and >> I know that some implementation(s) disallow gUM from file: URLs; but >> those seem to be authenticated according to the reference. >> >> We should probably get a better understanding about what the >> implications would be of allowing file URL access. > > I don't think file URLs should have any baring on a move to > authenticated origins. The security implications of file URLs (and in > fact the workings of file URLs too) have been left up to user agents > since forever. I'd rather Mixed Content leaves file URLs as an > exercise to the reader until we better know what we want with them in > general. I'm confused. Is your proposal that we reference https://w3c.github.io/webappsec/specs/mixedcontent/#is-origin-authenticated and only allow origins that come out as authenticated to access gUM, or is it something else?
Received on Saturday, 4 October 2014 12:38:56 UTC