- From: stefan hakansson via GitHub <sysbot+gh@w3.org>
- Date: Wed, 23 Mar 2016 08:57:47 +0000
- To: public-media-capture@w3.org
stefhak has just created a new issue for https://github.com/w3c/mediacapture-main: == Is more needed regarding revocation? == This is part of Nick Doty's feedback after reviewing how his comments during LC has been addressed. What Nick says: "I believe there were open questions on both user-side revocation and site-side revocation of persisted permissions. On user-side revocation, Rigo had noted that RFC 7478 mandated user agents provide the capability for users to revoke permissions, and we weren't sure that had been translated into draft-ietf-rtcweb-security-arch. I think I may have dropped the ball on not creating a pull request on that point; if it's still useful for me to do so, let me know. The Media Capture spec assumes that user-side revocation is required, though I don't think it introduces any specific normative requirement. https://lists.w3.org/Archives/Public/public-media-capture/2015Oct/0061.html I raised the concern that sites should also have a way to revoke persisted permissions that they may have received, as one way of limiting the risk to their users where they requested camera access in a way that might have just been one-time and subsequently had a security breach of some kind (like a reflected XSS attack). The wide review document suggests this is resolved via the Permissions API: > We reworked our permission system to be based on the Permission API, where revokation is addressed However, I couldn't find any references to the Permissions API in the Media Capture and Streams document. Is there any requirement or expectation that user agents that implement the Media Capture spec will also implement the corresponding Permissions API functionality? Or an example for how sites can use the Permissions API to query or revoke permissions using that API? The current editor's draft of the Permissions API does include a PermissionsDescriptor for camera and microphone, and a method for revoking permissions. The Permissions API is at least under development for both Chrome and Firefox: https://platform-status.mozilla.org/#permissions Although I don't think the current Firefox patch includes camera and microphone among the supported permission names: https://bugzilla.mozilla.org/show_bug.cgi?id=1105827 To the extent that it's unclear whether sites will be able to revoke their Media Capture permissions using the Permissions API, I remain concerned about this point. That said, maybe the fact that the Permissions API editor's draft has included it is a promising sign and the Privacy Interest Group could provide feedback on the Permissions API regarding this point." Please view or discuss this issue at https://github.com/w3c/mediacapture-main/issues/334 using your GitHub account
Received on Wednesday, 23 March 2016 08:57:50 UTC