Re: [mediacapture-main] risk model of stored permissions and constraint opportunities (#991)

> You're also trusting Replit.com

In this case, I *do* trust Replit (they have my credit card), and I also trust myself. In granting this permission, there is nothing but good faith. As a user, the unexpected gap in the trust model is that I have to trust everyone else creating content on Replit (not intuitive nor practical), in the event that Replit isn't taking (demonstrably uncommon) steps to isolate the permission.

I think we're approaching clarity:

1. We agree there is a risk here? That a user is prompted to allow the use of the camera and/or microphone, and that permission has unexpectedly broad scope?
2. Sites that allow third-party use of the API do not commonly implement granular controls. I have personally not encountered any examples in the wild.
3. The technology exists to implement said protections, today, across browsers. It's a little clumsy in that each site host has to provide a bespoke interface for third-party code to request camera access (such as an authenticated flow, UX outside the iframe, or postMessage et al), but it is entirely possible.

If those points are firm, I argue that they feel like a spec-shaped problem. In the sense that something is wrong, and no one is doing a currently-viable thing about it?



 



-- 
GitHub Notification of comment by rockinghelvetica
Please view or discuss this issue at https://github.com/w3c/mediacapture-main/issues/991#issuecomment-2093821443 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Friday, 3 May 2024 22:05:29 UTC