W3C home > Mailing lists > Public > public-media-capture@w3.org > February 2015

Input needed: Cancelling a permission request?

From: Harald Alvestrand <harald@alvestrand.no>
Date: Thu, 19 Feb 2015 14:25:12 +0000
Message-ID: <54E5F248.7070100@alvestrand.no>
To: "public-media-capture@w3.org" <public-media-capture@w3.org>
We have had 2 calls for consideration of related matter to this subject
recently - the newest one is documented here:


The issue is this: If a getUserMedia request causes a permission prompt,
should there be a way for the Javascript to cause that permission prompt
to disappear after a while if it is not granted, cancelling the request?

This has been discussed before, issues raised include:

- Very short timeouts allow an attacker to do device querying without
the user noticing.
- Not having this ability means that prompts hang around until the
relevant tab is closed.
- For applications that have an "install/registration" phase, and where
the request is served over HTTPS, and the platform supports "permit for
all devices", the app can use stored permission to avoid a later
permission prompt entirely except for exceptional cases (like when the
user revokes permission).

Our alternatives include:
- Not doing anything, letting apps deal with the issues as described
above, or living with it
- Adding a timeout parameter to getUserMedia, which allows the prompt to
fade away after a while
- Adding a "cancel" mechanism wehre a the gUM promise can be resolved by
the Javascript not the platform, leading to the prompt disappearing
- Define this as a problem that we need to solve later
- Something else

What do people think?


Surveillance is pervasive. Go Dark.
Received on Thursday, 19 February 2015 14:25:44 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 16:26:32 UTC