- From: Jan-Ivar Bruaroey via GitHub <sysbot+gh@w3.org>
- Date: Mon, 06 May 2024 22:21:19 +0000
- To: public-webrtc-logs@w3.org
Thank you for calling attention to this! I agree websites have not responded adequately to this risk. Things I think might help: clearer spec guidance https://github.com/w3c/webappsec-permissions-policy/issues/547; calling them out on it; competition. Where I disagree: > In this case, I do trust Replit (they have my credit card), ... As a user, the unexpected gap in the trust model is that I have to trust everyone else creating content on Replit (not intuitive nor practical), ... Maybe don't trust websites that create such gaps, and complain? > the high cost/complexity of securing this trust the "right" way suggests it should be browser-side That would be a regression. We tried this before https://github.com/w3c/webappsec-permissions-policy/issues/9. The idea of trusting iframes within a page was more confusing to most users, not less. Think of what the prompt would say. Figma defines what a "figma plugin" is. Steam defines what a "game" is. You don't want browsers defining these things. -- GitHub Notification of comment by jan-ivar Please view or discuss this issue at https://github.com/w3c/mediacapture-main/issues/991#issuecomment-2097023908 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 6 May 2024 22:21:20 UTC