W3C home > Mailing lists > Public > public-media-capture@w3.org > October 2014

Re: getUserMedia() and authenticated origins #2

From: Harald Alvestrand <harald@alvestrand.no>
Date: Sun, 05 Oct 2014 10:24:30 +0200
Message-ID: <5431003E.8000003@alvestrand.no>
To: public-media-capture@w3.org
On 10/04/2014 02:58 PM, Anne van Kesteren wrote:
> On Sat, Oct 4, 2014 at 2:54 PM, Stefan HÃ¥kansson LK
> <stefan.lk.hakansson@ericsson.com> wrote:
>> Next part then: should each user agent decide whether or not it follows
>> step four in the algorithm or not, or should it be documented in the gUM
>> document something with the meaning "the UA could decide to not allow
>> file URLs to access gUM in spite of it evaluating as an authenticated
>> origin in [ref to the algorithm]"?
> I would prefer that if there are concerns with file URLs we sort those
> in Mixed Content somehow as this is bigger than just this single
> feature. Unless there are concerns that would be specific to WebRTC?
The time the discussion about file: URLs came up before was in the
context of email attachments; it's apparently not uncommon practice for
email clients to store an attachment to a temporary file and call a
browser with a file: URL.

The concern then was about stored permissions; there should be no way to
store permissions for all file: URLs, or pre-autenticate a document for
getUserMedia when it might come from an unknown email source - but this
is (as I understand it) not an issue because each file: URL is
considered to be its own origin.

So I think that the rules for file: work for us, and that we are OK with
considering file: URLs "authenticated origins" under the reference

Surveillance is pervasive. Go Dark.
Received on Sunday, 5 October 2014 08:25:06 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 16:26:30 UTC