Re: Comments/Questions on Media Capture Streams – Privacy and Security Considerations

On Mon, Oct 26, 2015 at 8:21 PM, Nick Doty <> wrote:

> I'm not sure the situations are analogous. Large web sites that handle
> credit card numbers or store personal information as part of their business
> are likely aware of the security implications, more than a website
> developer who once added a bit of JavaScript to take a user's picture.

And yet those sites routinely have breaches.

> Ongoing surreptitious access to camera and microphone on someone's device
> is potentially much more harmful to the user than access to her credit card
> number and an annoying call with her bank's anti-fraud division.

This seems to reflect a fairly rosy view of the severity of financial fraud.

What we're saying is that every XSS or related security bug you have in the
> future, in addition to having security implications for your site's
> business, will also expose every previous user of your site to video and
> audio surveillance. It's not, "using this API involves sensitive data, so
> audit to find security bugs when you're using it", but rather "if you ever
> used this, you have to commit to perfect security diligence in perpetuity."

Well, again, not in Firefox, because Firefox doesn't persist permissions by

> At the least, I think Mathieu's suggestion about CSP might be useful in
> updating that section of the spec. We could give more specific
> recommendations about use of CSP and maybe user agents can take that signal
> into account when determining whether to grant a permission based on a
> prior granting.

I don't have a problem with recommending that people use CSP, but I don't
agree that
it makes sense to require browsers to take that into account, at least at
the time
of grant use for the reason I indicated previously.


> On Oct 24, 2015, at 1:12 PM, Eric Rescorla <> wrote:
> On the other hand, it's the advice we give to sites which handle credit
> card numbers, e-mails, and other sensitive information. Generally, if
> you once have an XSS on your site, it's fairly hard to clean up later.
> -Ekr
> On Fri, Oct 23, 2015 at 9:01 PM, Martin Thomson <>
> wrote:
>> On 23 October 2015 at 17:27, Nick Doty <> wrote:
>> > The current advice in the specification is for site developers that use
>> the API not to have security vulnerabilities anywhere on their sites. That
>> doesn't seem like advice that can or will be followed.
>> Yes, I agree that this sort of advice is foolish.

Received on Tuesday, 27 October 2015 10:43:39 UTC