I'm not sure the situations are analogous. Large web sites that handle credit card numbers or store personal information as part of their business are likely aware of the security implications, more than a website developer who once added a bit of JavaScript to take a user's picture. Ongoing surreptitious access to camera and microphone on someone's device is potentially much more harmful to the user than access to her credit card number and an annoying call with her bank's anti-fraud division. And the problem with the persisted permission in this case is that the threat exists for all users for all time in the future, even if the XSS bug isn't introduced or discovers until months or years later. And it's not just XSS, but if you have any bug where URL parameters can indicate a participant in a video chat (likely to be a common model) or any variation on a session fixation attack.
What we're saying is that every XSS or related security bug you have in the future, in addition to having security implications for your site's business, will also expose every previous user of your site to video and audio surveillance. It's not, "using this API involves sensitive data, so audit to find security bugs when you're using it", but rather "if you ever used this, you have to commit to perfect security diligence in perpetuity."
At the least, I think Mathieu's suggestion about CSP might be useful in updating that section of the spec. We could give more specific recommendations about use of CSP and maybe user agents can take that signal into account when determining whether to grant a permission based on a prior granting.
> On Oct 24, 2015, at 1:12 PM, Eric Rescorla <ekr@rtfm.com> wrote:
>
> On the other hand, it's the advice we give to sites which handle credit
> card numbers, e-mails, and other sensitive information. Generally, if
> you once have an XSS on your site, it's fairly hard to clean up later.
>
> -Ekr
>
> On Fri, Oct 23, 2015 at 9:01 PM, Martin Thomson <martin.thomson@gmail.com <mailto:martin.thomson@gmail.com>> wrote:
> On 23 October 2015 at 17:27, Nick Doty <npdoty@w3.org <mailto:npdoty@w3.org>> wrote:
> > The current advice in the specification is for site developers that use the API not to have security vulnerabilities anywhere on their sites. That doesn't seem like advice that can or will be followed.
>
> Yes, I agree that this sort of advice is foolish.
>