- From: Chris Palmer <palmer@google.com>
- Date: Thu, 10 Dec 2015 16:46:08 -0800
- To: Harald Alvestrand <harald@alvestrand.no>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAOuvq208NkyASrGjNAUN9ueibTRV6kG4D8NX_OPksfrOoXtCoA@mail.gmail.com>
Regarding:
“deviceinfo” permits getting names and capabilities of available
input and output devices.
I'd rather that information not be generally available to web origins. The
browser, and the person using the browser, can and should mediate access to
the devices (via native browser chrome or other mechanisms outside or and
unavailable to the web origin). Web origins might abuse the information
they can access for e.g. supercookies, and in any case it doesn't seem
strictly necessary.
On Wed, Dec 9, 2015 at 1:09 PM, Harald Alvestrand <harald@alvestrand.no>
wrote:
> Hello WebAppSec people!
>
> The topic of permissions has been much on the mind of the WebRTC WG and
> the Media Capture task force.
> One suggestion has been to use the WebAppSec "permissions" model to
> manage our permissions - this seems attractive on the surface, but we're
> not sure if we understand all the implications.
>
> In order to explore this further, I wrote up a sketch for how this could
> be done based on my understanding of the permissions document. The
> proposal is enclosed, and is also available as a GDoc on this link:
>
>
> https://docs.google.com/document/d/13c4hTlm2XgVYpxfGL1a8fcvI1CAUdIgd662DfElk_ow/edit?usp=sharing
>
> This seems to have had a reasonable reception in the Media Capture group.
> If it also meets favor (possibly after a rewrite based on advice) in
> this group, it could be turned into a pull request against the
> Permissions API document.
>
> Would that seem like a reasonable plan?
>
> Harald Alvestrand
> speaking, in this case, as technical contributor to Media Capture and
> WebRTC
>
>
Received on Friday, 11 December 2015 00:46:44 UTC