Re: [Bug 25809] Security issue: Abuse of "call me" URLs

On 28/08/14 11:38, Dominique Hazael-Massieux wrote:
> Le jeudi 03 juillet 2014 à 10:56 +0200, Harald Alvestrand a écrit :
>> I think the web developers mostly will read books and pages written by
>> people who (hopefully) read the spec - and those people will hopefully
>> read it from end to end, so it doesn't matter much where.
>>
>> I think putting it in the (non-normative) security considerations
>> section will do nicely.
>
> This sounds reasonable; I've put a pull request to that effect.
> https://github.com/w3c/mediacapture-main/pull/9
>
> But I wonder if we could not do more to make that footgun less likely to
> be triggered.
>
> We could for instance prevent getUserMedia from operating without an
> "engagement gesture" (see
> https://dvcs.w3.org/hg/pointerlock/raw-file/default/index.html#glossary
> ).

Maybe the extra security this gives it worth the minor annoyance it 
creates for users of sites (with stored permissions) that are properly 
set up. I'm in favor.

>
> For an ad that would embed an app that would have stored permissions, we
> may also link the stored permissions to the stack of embedding origins,
> not just the origin from where the script operates (although I don't
> know if there is any model we can follow for this).

I do not follow completely. Embedded using an iFrame? Would not the 
iFrame have its origin? (How to present the url of the site wanting 
access to microphone/camera is a challenge though.)

>
> Finally, we may also want to avoid any random app to be able to trigger
> a getUserMedia prompt when embedded in a Web page (which could easily
> confuse users); in this case, we should get a new value added to the
> sandbox attribute in iframe element
> http://www.w3.org/html/wg/drafts/html/master/embedded-content.html#attr-iframe-sandbox

I like this.

>
> Dom
>
>
>
>

Received on Monday, 1 September 2014 06:33:21 UTC