- From: <bugzilla@jessica.w3.org>
- Date: Fri, 31 Oct 2014 15:52:42 +0000
- To: public-media-capture@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=26937 Domenic Denicola <d@domenic.me> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |d@domenic.me --- Comment #5 from Domenic Denicola <d@domenic.me> --- I want to get the TAG's thoughts in writing, as well as my interpretation of what was agreed to on yesterday's call. In general, per our recent TAG resolution, we believe privacy-sensitive features should be restricted to secure origins. And getUserMedia (as well as mediaDevices.enumerateDevices, to a lesser extent) is definitely a privacy-sensitive feature, by any accounting. When it comes to dealing with the real world, we recognize that especially for specs that have lots of code out there, like geolocation or getUserMedia, fixing this is going to be a process. So we're definitely not saying "the spec and all browsers should move getUserMedia to secure-origins-only right now." Also of note, we're not saying that e.g. navigator.getUserMedia should require secure origins, but navigator.webkitGetUserMedia should not, or that MediaDevices.getUserMedia should require secure origins, but navigator.getUserMedia should not. A browser should make the move all at once; otherwise, attackers can just use the un-secured API. As such, in our opinion the best way to make a forward-looking move is to explicitly outline that supporting GUM on HTTP is depracated, and to give a path toward its eventual removal. A good example of this being done already in the platform is with XHR: see https://xhr.spec.whatwg.org/#sync-warning. Here's a draft of the kind of warning I would imagine: "When on an insecure origin, user agents are strongly encouraged to warn about usage of MediaDevices.getUserMedia, navigator.getUserMedia, and any prefixed variants in their developer tools. User agents are encouraged to experiment with removing these APIs entirely when on an insecure origin, as long as they remove all of them at once (e.g., they should not leave just the prefixed version available on insecure origins). This will enable us to eventually remove insecure access to this feature from the platform." We didn't talk about it much, but I think the TAG would generally suggest that enumerateDevices be restricted to secure origins out of the box. (Personally I think this kind of protection-from-fingerprinting privacy is somewhat of a lost cause, but in general the TAG, and I believe much of the web standards community, disagrees with me on that.) -- You are receiving this mail because: You are on the CC list for the bug.
Received on Friday, 31 October 2014 15:52:43 UTC