Re: [mediacapture-main] Pull Request: Extend iframe with a new allowusermedia attribute (issue: #268)

On 2/5/16 9:35 AM, Stefan Håkansson LK wrote:
> On 05/02/16 12:29, Martin Thomson wrote:
>> https://docs.google.com/document/d/1iaocsSuVrU11FFzZwy7EnJNOwxhAHMroWSOEERw5hO0/edit
> It seems to me that the essence of the "floating idea" is that only the
> top level origin should be shown in user prompts (even if the request to
> use certain resources is made by an iFrame).
>
> This seems mostly in line with PR #313. IIUC, #313 adds that any page
> embedding an iFrame must deliberately set the allowusermedia attribute
> for that iFrame to be able to ask for user media. And if it is the top
> level origin only that will be shown in the user prompt, it makes total
> sense to me if the top level origin can prohibit an iFrame to ask for
> user media.

The floated idea seems to conflict with any "on-by-default" for access 
in iframes whatsoever, so I trust we don't have that in PR #313? I 
thought I saw discussion about maybe there being a more permissive 
default in some cases, specifically, if no iframe permission parameters 
were specified at all, or did I misunderstand? I'm not very familiar 
with this part.

About the floated idea: The fusing of permissions between iframes and 
their top origin sure simplifies, but the move of control from users to 
the site concerns me. I fear this will lead to demand for browser 
policy-settings to control third-party permissions the way we have today 
for third-party cookies...

.: Jan-Ivar :.

> There is a part in #313 that would go away: it is said that the iframe
> "needs to identify itself in the security prompt presented to the
> user.", and that would go away. But to me #313 seems sensible for now,
> we can remove that part later if the "floating idea" is adopted.

Received on Friday, 5 February 2016 22:11:25 UTC