- From: Mathieu Hofman <Mathieu.Hofman@citrix.com>
- Date: Tue, 27 Oct 2015 01:53:10 +0000
- To: Nick Doty <npdoty@w3.org>, Eric Rescorla <ekr@rtfm.com>
- CC: Martin Thomson <martin.thomson@gmail.com>, Harald Alvestrand <harald@alvestrand.no>, "public-media-capture@w3.org" <public-media-capture@w3.org>, "public-privacy (W3C mailing list)" <public-privacy@w3.org>
> From: Nick Doty [mailto:npdoty@w3.org] > Sent: Monday, October 26, 2015 17:22 > To: Eric Rescorla <ekr@rtfm.com> > Cc: Martin Thomson <martin.thomson@gmail.com>; Mathieu Hofman > <Mathieu.Hofman@citrix.com>; Harald Alvestrand <harald@alvestrand.no>; > public-media-capture@w3.org; public-privacy (W3C mailing list) <public- > privacy@w3.org> > Subject: Re: Comments/Questions on Media Capture Streams – Privacy and > Security Considerations > > I'm not sure the situations are analogous. Large web sites that handle credit > card numbers or store personal information as part of their business are > likely aware of the security implications, more than a website developer who > once added a bit of JavaScript to take a user's picture. Ongoing surreptitious > access to camera and microphone on someone's device is potentially much > more harmful to the user than access to her credit card number and an > annoying call with her bank's anti-fraud division. And the problem with the > persisted permission in this case is that the threat exists for all users for all > time in the future, even if the XSS bug isn't introduced or discovers until > months or years later. And it's not just XSS, but if you have any bug where > URL parameters can indicate a participant in a video chat (likely to be a > common model) or any variation on a session fixation attack. > > What we're saying is that every XSS or related security bug you have in the > future, in addition to having security implications for your site's business, will > also expose every previous user of your site to video and audio surveillance. > It's not, "using this API involves sensitive data, so audit to find security bugs > when you're using it", but rather "if you ever used this, you have to commit > to perfect security diligence in perpetuity." > > At the least, I think Mathieu's suggestion about CSP might be useful in > updating that section of the spec. We could give more specific > recommendations about use of CSP and maybe user agents can take that > signal into account when determining whether to grant a permission based > on a prior granting. Actually I'm coming back on my original idea. I don't think CSP can be of any help, now that I realize CSP can be added to a compromised page using html meta element. Mathieu
Received on Tuesday, 27 October 2015 01:53:40 UTC