- From: Nicholas Macias via GitHub <sysbot+gh@w3.org>
- Date: Wed, 01 May 2024 01:33:36 +0000
- To: public-webrtc-logs@w3.org
@jan-ivar I should slow us down: the heading "questions raised" and the matter of "split permissions" pertain to the half-baked direction proposed, not the current standard. It may have been wiser for me to stop at describing the problem, as I think clarity on the risk is more important than any ideas about what to do next. Yes, a [Figma plugin](https://help.figma.com/hc/en-us/articles/360042532714-Use-plugins-in-files#Network_access) is third-party code, served under a model similar to JS playgrounds ### Example of the problem in a Figma context A simple example in Figma (~3MM montly subscribers) is that I might use a Figma plugin by Vimeo, a well-known third party. 1. I can elect to install and use such a tool from within Figma's webapp, or, I might open a shared design file that has an existing dependency. 2. Using this every day at work, one is likely to `☐ Remember this decision` even if they were generally defensive of their privacy. More to the point, the default behavior of Chrome is not the `chrome://flags/#one-time-permission` flag you have set. Safari can also save permissions starting around iOS 13. 3. The result is now that other third party code in Figma can launch my webcam. I would have to authorize the general use of the risky plugin in the Figma platform, but there's no review of the relevant utility. It could have utility unrelated to a camera. I generally behave like you on jsfiddle and ilk, but in the course of developing one's (own) app on something like Replit it would be very easy to take the shortcut after being presented this question a hundred times across the day. AFAIK, the most popular browsers in use all set up this risk. -- GitHub Notification of comment by rockinghelvetica Please view or discuss this issue at https://github.com/w3c/mediacapture-main/issues/991#issuecomment-2087841530 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 1 May 2024 01:33:37 UTC