Re: Comments/Questions on Media Capture Streams – Privacy and Security Considerations from Nick Doty on 2015-10-27 (public-media-capture@w3.org from October 2015)

From: Nick Doty <npdoty@w3.org>
Date: Tue, 27 Oct 2015 14:44:56 +0900
To: Mathieu Hofman <Mathieu.Hofman@citrix.com>
Cc: Eric Rescorla <ekr@rtfm.com>, Martin Thomson <martin.thomson@gmail.com>, Harald Alvestrand <harald@alvestrand.no>, "public-media-capture@w3.org" <public-media-capture@w3.org>, "public-privacy (W3C mailing list)" <public-privacy@w3.org>
Message-Id: <0B84BD91-1DC8-42C6-8A3C-81777A0DD346@w3.org>

On Oct 27, 2015, at 10:53 AM, Mathieu Hofman <Mathieu.Hofman@citrix.com> wrote:
>> What we're saying is that every XSS or related security bug you have in the
>> future, in addition to having security implications for your site's business, will
>> also expose every previous user of your site to video and audio surveillance.
>> It's not, "using this API involves sensitive data, so audit to find security bugs
>> when you're using it", but rather "if you ever used this, you have to commit
>> to perfect security diligence in perpetuity."
>> 
>> At the least, I think Mathieu's suggestion about CSP might be useful in
>> updating that section of the spec. We could give more specific
>> recommendations about use of CSP and maybe user agents can take that
>> signal into account when determining whether to grant a permission based
>> on a prior granting.
> 
> Actually I'm coming back on my original idea. I don't think CSP can be of any help, now that I realize CSP can be added to a compromised page using html meta element.

That certain attackers can add CSP policies doesn't prevent their usefulness in this area. What we're concerned about is whether a previously-provided permission grant for getUserMedia can be safely relied on for later access to camera/microphone without a permission prompt. If a CSP policy is in place when getUserMedia was first used by a site and is still in place, then the browser can be provided some confidence that a permission still makes sense and is relatively less likely to be a XSS attack. If you called getUserMedia on your small site and don't have a CSP policy and someone later finds an XSS attack, the lack of a CSP might be an indicator for the user agent not to persist the permission request.

XSS attacks that are invoking getUserMedia for the first time could still be a privacy/security risk, of course, especially in cases of insecure contexts, but it's not an issue with persistence of permission.

And in terms of non-normative text, CSP would simply be more specific than the current guidance.

Received on Tuesday, 27 October 2015 05:45:19 UTC