[Bug 26937] Proposal: Only allow authenticated origins to access getUserMedia

https://www.w3.org/Bugs/Public/show_bug.cgi?id=26937

Domenic Denicola <d@domenic.me> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |d@domenic.me

--- Comment #5 from Domenic Denicola <d@domenic.me> ---
I want to get the TAG's thoughts in writing, as well as my interpretation of
what was agreed to on yesterday's call.

In general, per our recent TAG resolution, we believe privacy-sensitive
features should be restricted to secure origins. And getUserMedia (as well as
mediaDevices.enumerateDevices, to a lesser extent) is definitely a
privacy-sensitive feature, by any accounting.

When it comes to dealing with the real world, we recognize that especially for
specs that have lots of code out there, like geolocation or getUserMedia,
fixing this is going to be a process. So we're definitely not saying "the spec
and all browsers should move getUserMedia to secure-origins-only right now."

Also of note, we're not saying that e.g. navigator.getUserMedia should require
secure origins, but navigator.webkitGetUserMedia should not, or that
MediaDevices.getUserMedia should require secure origins, but
navigator.getUserMedia should not. A browser should make the move all at once;
otherwise, attackers can just use the un-secured API.

As such, in our opinion the best way to make a forward-looking move is to
explicitly outline that supporting GUM on HTTP is depracated, and to give a
path toward its eventual removal. A good example of this being done already in
the platform is with XHR: see https://xhr.spec.whatwg.org/#sync-warning.

Here's a draft of the kind of warning I would imagine:

"When on an insecure origin, user agents are strongly encouraged to warn about
usage of MediaDevices.getUserMedia, navigator.getUserMedia, and any prefixed
variants in their developer tools. User agents are encouraged to experiment
with removing these APIs entirely when on an insecure origin, as long as they
remove all of them at once (e.g., they should not leave just the prefixed
version available on insecure origins). This will enable us to eventually
remove insecure access to this feature from the platform."

We didn't talk about it much, but I think the TAG would generally suggest that
enumerateDevices be restricted to secure origins out of the box. (Personally I
think this kind of protection-from-fingerprinting privacy is somewhat of a lost
cause, but in general the TAG, and I believe much of the web standards
community, disagrees with me on that.)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Received on Friday, 31 October 2014 15:52:43 UTC