Re: [mediacapture-main] risk model of stored permissions and constraint opportunities (#991) from Jan-Ivar Bruaroey via GitHub on 2024-05-03 (public-webrtc-logs@w3.org from May 2024)

From: Jan-Ivar Bruaroey via GitHub <sysbot+gh@w3.org>
Date: Fri, 03 May 2024 17:17:22 +0000
To: public-webrtc-logs@w3.org
Message-ID: <issue_comment.created-2093442835-1714756640-sysbot+gh@w3.org>

Ah sorry I misunderstood. I agree it's good to narrow down the problem.

I didn't mean to diminish the problem by pointing to it going beyond camera and microphone. On the contrary, this likely needs addressing (call-out or changes) at a higher level, which would be the [permissions](https://github.com/w3c/permissions-policy/issues/new) or [permissions-policy](https://github.com/w3c/webappsec-permissions-policy/issues/new) or spec.

> 3. The immediate side-effect is now that other third party code in Figma can launch my webcam. Each plugin within Figma has its own auth flow to interact with my files, but there's no platform review of the relevant utility & an offending plugin could e.g. have useful utility without obvious expectation of camera use.

It is Figma that breaks the trust chain here.
1. End-users grant OS permissions to web browsers (level 1 prompt)
2. In the web model, end-users grant permission to the website (level 2 prompt), which in turn is responsible for which third parties it delegates that permission to, and how.
3. It's Figma's job to figure out a model that scales past that to support its complexity (it's unobvious a 3rd level prompt is the answer)

Reviewing the tools available today, websites can manage permission delegation to its iframes by (sub)domains using [allowlists](https://www.w3.org/TR/permissions-policy-1/#ascii-serialization):
```js
<iframe allow="camera https://vimeo.figma.net https://sub2.figma.net" src="iframe.html">
```
Central to such a scheme, "plugins" would run in different sub-domains and not have automatic access to `navigator.mediaDevices.getUserMedia` by default, which seems to be the problem here. Configuring which plugins get camera access could be part of the "auth flow" when you "install" the plugin (no need for a 3rd level prompt).

--
GitHub Notification of comment by jan-ivar
Please view or discuss this issue at https://github.com/w3c/mediacapture-main/issues/991#issuecomment-2093442835 using your GitHub account

--
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Friday, 3 May 2024 17:17:23 UTC