- From: Nicholas Macias via GitHub <sysbot+gh@w3.org>
- Date: Thu, 21 Mar 2024 19:19:07 +0000
- To: public-webrtc-logs@w3.org
You did well, but I would be more pointed: > When the user grants a permission, that permission is keyed on the top-level, and is shared by all embedded documents that the embedder allowlists. Where embedders support user-generated code and plugins, the user will not be protected from unexpected usage of the stored permission. It's technically possible that a platform will read the note in the spec, understand the responsibility, and elect to develop granular media permissions for each embed, but I've yet to encounter a single example. My instinct for special casing is three part, but subjective: 1. The mismatch between user expectation ("this app") and implementation (top-level domain) was created by this specification. 2. There are opportunities to improve the communication of the risks in the spec, and maybe provide example mitigations. 3. There's a significant amount of special-case handling in browser UX for media capture features, which suggests that diffusing the work to Permissions Policy might translate to messy browser differences. -- GitHub Notification of comment by rockinghelvetica Please view or discuss this issue at https://github.com/w3c/mediacapture-main/issues/991#issuecomment-2013411804 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 21 March 2024 19:19:08 UTC