W3C home > Mailing lists > Public > public-webrtc-logs@w3.org > February 2021

Re: [mediacapture-main] Origin isolation (#529)

From: Jan-Ivar Bruaroey via GitHub <sysbot+gh@w3.org>
Date: Wed, 10 Feb 2021 22:56:56 +0000
To: public-webrtc-logs@w3.org
Message-ID: <issue_comment.created-777090907-1612997815-sysbot+gh@w3.org>
> Is "media capture extension" this specification?

No, it's https://github.com/w3c/mediacapture-extensions, which this issue has not been transferred to at the time of writing.

> I propose we close this issue for now.

I do worry though that for security reasons, we need to say something about tainting in this spec, since this is where the [model of sources and sinks](https://github.com/w3c/mediacapture-extensions/issues/16#issuecomment-768376766) is established, and we have sources that may taint in https://github.com/w3c/mediacapture-fromelement/issues/83. Otherwise, it falls on every sink defined to not trip over this. We want to avoid another [cr761622](https://crbug.com/761622).

At minimum I think we need to say that any spec that defines a _sink_ for `MediaStreamTrack`s MUST protect any cross-origin media in it from being exposed to JS, or failing that, decree that `MediaStreamTrack` _sources_ MUST NOT contain cross-origin media, tainted or otherwise. Leaving individual sources and sinks to coordinate every combination of this seems subpar.

GitHub Notification of comment by jan-ivar
Please view or discuss this issue at https://github.com/w3c/mediacapture-main/issues/529#issuecomment-777090907 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 10 February 2021 22:56:57 UTC

This archive was generated by hypermail 2.4.0 : Saturday, 6 May 2023 21:19:53 UTC