Re: [mediacapture-main] risk model of stored permissions and constraint opportunities (#991) from Jan-Ivar Bruaroey via GitHub on 2024-04-30 (public-webrtc-logs@w3.org from April 2024)

From: Jan-Ivar Bruaroey via GitHub <sysbot+gh@w3.org>
Date: Tue, 30 Apr 2024 22:02:21 +0000
To: public-webrtc-logs@w3.org
Message-ID: <issue_comment.created-2087507282-1714514539-sysbot+gh@w3.org>

> 1. The mismatch between user expectation ("this app") and implementation (top-level domain) was created by this specification. Not to imply that it was wrong, at all, but the side-effects of hoisting permissions up to the address bar might best be considered as one design.

I hope I've shown above that this problem was not created by this specification, and that it faithfully follows the web model when it comes to permission delegation. E.g. this seems to apply equally to geolocation and other permissions.

For that reason it might be appropriate to consider opening an issue on [w3c/permissions](https://github.com/w3c/permissions/issues) instead.

We can keep this open to try to add some text to highlight the problem, and suggest solutions for web applications, like using different sub-domains per user. E.g. these have separate permissions (and cookies since `github.io` is an eTLD):
- https://jan-ivar.github.io/dummy/gum_video.html
- https://mozilla.github.io/webrtc-landing/gum_test.html

> - Unlike now, if the origin Allows access the iframe’s UX would be knocked back to Ask. The browser UX and stored permission would proceed in a familiar manner, but specific to the extra constraint.

Note the diversity in browsers I mentioned earlier. Specs generally [aren't prescriptive to this level](https://www.w3.org/TR/permissions/#dfn-request-permission-to-use) to allow user agents to experiment. User agents are encouraged to solve these situations if they can detect them.

E.g. Firefox will always ask if someone uses the (rather unsafe) `allow="camera *; microphone *;"` wildcards (click the `Navigate to landing` button in https://jan-ivar.github.io/dummy/iframe_iframe_gum_starcross.html in Firefox).

-- 
GitHub Notification of comment by jan-ivar
Please view or discuss this issue at https://github.com/w3c/mediacapture-main/issues/991#issuecomment-2087507282 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Tuesday, 30 April 2024 22:02:21 UTC