- From: Nicholas Macias via GitHub <sysbot+gh@w3.org>
- Date: Fri, 03 May 2024 18:49:31 +0000
- To: public-webrtc-logs@w3.org
Thank you for your articulation of the model underlying the spec's design decision. I think: 1. leaving the trust model to the domain is undermined by the ambiguity of this responsibility 2. the high cost/complexity of securing this trust the "right" way suggests it should be browser-side 3. if the prompt is initiated by third party code, can the host see it? ### The responsibility for the trust chain is not clear If Figma were an outlier, I might direct my feedback there. But this seems to be the common approach — and Figma might be the cleanest case of where the described "web model" works (because the UX is clearly and consistently 1:1 with the domain). They should get this right, and they don't. The problem is not obvious enough, and at minimum the spec needs to be a lot louder about this. From a web user perspective, I challenge that a "website" is understood as 1:1 with a domain. MANY very popular things exist today where there are millions of independent web apps running on a single site. I brought up Replit because it was especially interesting: I was developing my own app, which I trust. Granting camera permission in the context of my own project creates a wide-surface risk to any future Replit link. I tend to think it should be possible for a developer to be MORE conservative than the context they are working in with permissions, i.e. if Replit is dropping this ball, I should be able to request `navigator.mediaDevices.getUserMedia` with more circumspect scope. The mental model for trusting a "website" is way more aligned with the UX in front of me, i.e. the game I'm playing, not all the games on a given domain. I personally doubt that *most* developers invoking this code & messaging users about how the permission will be used understand at all what's going on upstream. ### Implementing the granular scheme is complex and expensive You've pointed out that it's possible for Figma to manage third-party camera use with sub-domains and their own plugin auth flow. They should! But they have incentives to invest in all this feature development, data storage, and testing: Figma document interactions, paid subscriptions, enterprise audits, etc. For everyone without these incentives, it feels like the browser could best step up. A minimum alternative might be for this group to provide a reference implementation of the scheme and best-practices. ### Implementation question Where a site lets third party code invoke `getUserMedia()`, is there an appropriate hook/event for the site in that promise workflow, for the purposes of implementing a granular scheme? Else, if the appropriate design is that the iframe does not have this permission by default, does an error reach the host document so that it can react as it sees fit? -- GitHub Notification of comment by rockinghelvetica Please view or discuss this issue at https://github.com/w3c/mediacapture-main/issues/991#issuecomment-2093581876 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 3 May 2024 18:49:31 UTC