Re: Additional protection against automatic camera capture (was: [Bug 25809] Security issue: Abuse of "call me" URLs)

On Mon, Sep 15, 2014 at 8:32 AM, Dominique Hazael-Massieux <dom@w3.org>
wrote:

> A couple of weeks ago, discussing bug 25809 (“call me” URLs), I
> suggested some potential additions to the spec to make it harder to trap
> users in getting automatically and unexpectedly “on air”:
> * requiring an engagement gesture for getUserMedia
> * linking permanent permissions to the embedded stack of origins
> * letting pages opt-in to allow their embedded frames to make use of
> getUserMedia
>

I haven't checked Chrome, but Firefox does not seem to allow IFRAMEd content
to use persistent permissions even if that origin otherwise would have such
access.
With that said, we discussed parent page visibility in IETF a while back and
there wasn't much interest.


> There was support from some, and hesitations from others.
>
> To move forward with this, we could:
> * ask the chairs to call for consensus on this now
>

I haven't seen much evidence of consensus.

-Ekr

* ask for further input from the Web Apps Security WG and/or the TAG
> * leave the spec as is, with a note asking for input from readers on
> these questions
>
> Thoughts?
>
> Dom
>
>
>
>

Received on Monday, 15 September 2014 15:47:38 UTC