Re: Comments/Questions on Media Capture Streams – Privacy and Security Considerations

On Oct 27, 2015, at 10:53 AM, Mathieu Hofman <> wrote:
>> What we're saying is that every XSS or related security bug you have in the
>> future, in addition to having security implications for your site's business, will
>> also expose every previous user of your site to video and audio surveillance.
>> It's not, "using this API involves sensitive data, so audit to find security bugs
>> when you're using it", but rather "if you ever used this, you have to commit
>> to perfect security diligence in perpetuity."
>> At the least, I think Mathieu's suggestion about CSP might be useful in
>> updating that section of the spec. We could give more specific
>> recommendations about use of CSP and maybe user agents can take that
>> signal into account when determining whether to grant a permission based
>> on a prior granting.
> Actually I'm coming back on my original idea. I don't think CSP can be of any help, now that I realize CSP can be added to a compromised page using html meta element.

That certain attackers can add CSP policies doesn't prevent their usefulness in this area. What we're concerned about is whether a previously-provided permission grant for getUserMedia can be safely relied on for later access to camera/microphone without a permission prompt. If a CSP policy is in place when getUserMedia was first used by a site and is still in place, then the browser can be provided some confidence that a permission still makes sense and is relatively less likely to be a XSS attack. If you called getUserMedia on your small site and don't have a CSP policy and someone later finds an XSS attack, the lack of a CSP might be an indicator for the user agent not to persist the permission request.

XSS attacks that are invoking getUserMedia for the first time could still be a privacy/security risk, of course, especially in cases of insecure contexts, but it's not an issue with persistence of permission.

And in terms of non-normative text, CSP would simply be more specific than the current guidance.

Received on Tuesday, 27 October 2015 05:45:17 UTC