W3C home > Mailing lists > Public > public-media-capture@w3.org > October 2014

Re: CfC: only allow authenticated origins to call getUserMedia

From: Justin Uberti <juberti@google.com>
Date: Tue, 7 Oct 2014 08:59:23 -0700
Message-ID: <CAOJ7v-2o18VQfVY0aSjb-FFTxegqpX4Tb_mrH8rfDi2CP8yEQw@mail.gmail.com>
To: Stefan Håkansson LK <stefan.lk.hakansson@ericsson.com>
Cc: "public-media-capture@w3.org" <public-media-capture@w3.org>
I am not OK with this, as described, for three reasons:
1) there is already substantial incentive for apps to use authenticated
origins, e.g. persistent permissions in chrome, browsers marking https
origins favorably
2) this breaks real, existing applications, e.g. http://webcamtoy.com/
3) makes trying/experimenting with webrtc difficult, e.g.
http://jsfiddle.net, or http://localhost

We still want to encourage HTTPS, of course, so I think it would be fine to
have console warnings or similar methods of persuasion.

On Mon, Oct 6, 2014 at 10:35 PM, Stefan Håkansson LK <
stefan.lk.hakansson@ericsson.com> wrote:

> Following the recent discussion on the list, the Chairs detect that
> there seems to be consensus to move to only allowing authenticated
> origins (as defined in [1]) to use getUserMedia (both the callback and
> Promise version).
> Please respond by Friday this week (Oct 10th) if you’re OK or Not OK
> with this change (silence will be interpreted as being OK with it).
> Harald and Stefan
> [1]
> https://w3c.github.io/webappsec/specs/mixedcontent/#is-origin-authenticated
Received on Tuesday, 7 October 2014 16:00:10 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 16:26:30 UTC