- From: pes via GitHub <sysbot+gh@w3.org>
- Date: Fri, 16 Jul 2021 19:31:59 +0000
- To: public-webrtc-logs@w3.org
pes10k has just created a new issue for https://github.com/w3c/mediacapture-image: == Make mandatory link between image metadata and page permissions == (this issue is from the review I did as part of PING's HR review) Currently, the spec mentions, non-normatively, that implementors might consider preventing unexpected information loss through image headers. The risks for privacy loss here is significant, and could even weaken privacy protections enforced elsewhere in the platform (as an example, geolocation information might be leaked to the page through an EXIF header in an image, despite the page not having the geolocation permission). The spec should, normatively, ensure that the new functionality in the spec doesn't cause such privacy harm. Two possible suggestions for how the spec could do this: 1. Simplest idea: specify that there MUST NOT be any metadata attached to the returned image 2. More difficult idea: specify what kinds of data MAY be attached to the image, and consider that a closed set The above are just offered as suggestions, but the core of the issue here is that the spec should deal with this introduced privacy risk through normative / required protections. Please view or discuss this issue at https://github.com/w3c/mediacapture-image/issues/283 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 16 July 2021 19:32:00 UTC