Re: [rtcweb] Conditions for long-term permissions grants

On 10/03/15 19:50, Justin Uberti wrote:
> I think we should follow the precedent that has been set for this sort
> of thing on mobile devices, namely that apps ask for consent the first
> time they need the camera, and this permission is stored, as mentioned
> in

Personally I don't agree (more on why below), but my takeaway from that 
is that we should perhaps leave the document as is since it is unlikely 
that we would find consensus if we try to add more detail on the 
behavior regarding stored permissions in a normative part of the spec.

Why I don't agree: I think there is a difference between an installed 
app and a web page. Installing an app is a much more conscious decision 
than, there is (usually) an app store involved, and an app can be 
uninstalled (of course you can revoke stored permissions - but that is 
not as intuitive to the average user IMO).

Moreover, it is quite easy to imagine sites to ask for access to camera 
and microphone (e.g. get support during a purchase in a web shop) in 
situations when you really like that access to be one time (I'd not like 
that web shop to be able too use my camera next time I'm browsing its 

And https is a good thing, but not sufficient IMO. Most sites will move 
there (and don't get me wrong: that is a good thing), so I'm not sure 
that "served over https" always equals "well behaved" and in addition 
not all of those sites will be professionally managed and could be 
hacked. So my very personal opinion is that allowing any site (served 
over https) to store permissions to use camera and microphone without my 
explicit permission to do so is not right.

Received on Thursday, 12 March 2015 10:48:47 UTC