W3C home > Mailing lists > Public > public-media-capture@w3.org > October 2014

Re: CfC: only allow authenticated origins to call getUserMedia

From: Chris Palmer <palmer@google.com>
Date: Wed, 8 Oct 2014 17:37:15 -0700
Message-ID: <CAOuvq21F5SNQY_ZnOveAc8o_Uc+XNpzHdBXK2O8rbLRCYGa9sA@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Anne van Kesteren <annevk@annevk.nl>, Justin Uberti <juberti@google.com>, Stefan HÃ¥kansson LK <stefan.lk.hakansson@ericsson.com>, "public-media-capture@w3.org" <public-media-capture@w3.org>
On Wed, Oct 8, 2014 at 4:06 PM, Eric Rescorla <ekr@rtfm.com> wrote:

> Yes, this is the difference between an active and a passive attack, which
> is the context that you elided in your response here. See below and
> note the asterisks which are intended to call your attention to the
> word "passive".

The crux of the issue is that the user cannot know that only passive
attackers, and not active attackers, are in play against them.
Therefore they must assume that active attackers are in play. And
therefore that OE is insufficient as a defense.
Received on Thursday, 9 October 2014 00:37:42 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 16:26:30 UTC