- From: Eric Rescorla <ekr@rtfm.com>
- Date: Fri, 2 Nov 2012 13:48:26 +0100
- To: public-webappsec <public-webappsec@w3.org>
I've been starting to wonder if it's worth having a mechanism to restrict access to APIs in CSP. A good example here is getUserMedia(), which allows access to the camera and microphone. It's going to be possible to set a persistent permission allowing an origin to access these devices, but you could imagine that a site might want to restrict that permission to specific pages. This could obviously be done with domain sharding, but that's gross... So, you could imagine a CSP directive like: forbid-function getUserMedia That would restrict access to getUserMedia. Other candidates here might be the webcrypto APIs to the extent to which they allow access to persistent origin-bound keys. 1. Does this sound like a plausible goal to people? 2. Any suggestions about the syntax? -Ekr
Received on Friday, 2 November 2012 12:49:35 UTC