Re: CfC: only allow authenticated origins to call getUserMedia

On Tue, Oct 7, 2014 at 8:59 AM, Justin Uberti <> wrote:

> I am not OK with this, as described, for three reasons:
> 1) there is already substantial incentive for apps to use authenticated
> origins, e.g. persistent permissions in chrome, browsers marking https
> origins favorably

Firefox also allows persistent permissions (I believe) FF 33 (due out
but only for HTTPS.

> 2) this breaks real, existing applications, e.g.
> 3) makes trying/experimenting with webrtc difficult, e.g.
>, or http://localhost
> We still want to encourage HTTPS, of course, so I think it would be fine
> to have console warnings or similar methods of persuasion.

I agree with Justin's position.

As Adam mentioned in another thread, it's hard to think of a clearer case
of informed
user consent, so this doesn't seem like it has special security benefit
aside from the
benefit of deprecating non-HTTPS everywhere.

Pre-warning: this has been debated extensively already, so I don't intend
to engage
in a lot of back and forth here unless something new is said. I'm only
responding here
to make clear that there's not consensus for this change.


> On Mon, Oct 6, 2014 at 10:35 PM, Stefan Håkansson LK <
>> wrote:
>> Following the recent discussion on the list, the Chairs detect that
>> there seems to be consensus to move to only allowing authenticated
>> origins (as defined in [1]) to use getUserMedia (both the callback and
>> Promise version).
>> Please respond by Friday this week (Oct 10th) if you’re OK or Not OK
>> with this change (silence will be interpreted as being OK with it).
>> Harald and Stefan
>> [1]

Received on Tuesday, 7 October 2014 16:10:45 UTC