- From: Eric Rescorla <ekr@rtfm.com>
- Date: Sat, 7 Mar 2015 12:44:16 -0800
- To: "public-webrtc@w3.org" <public-webrtc@w3.org>, "rtcweb@ietf.org" <rtcweb@ietf.org>
- Message-ID: <CABcZeBP8g2FzGDLztq2ZucsTqvOJVaB4txc1b0uWA6nQWgppCQ@mail.gmail.com>
https://tools.ietf.org/html/draft-ietf-rtcweb-security-arch-10#section-5.2
requires
that JS be able to ask for short or long-term permissions grants:
API Requirement: The API MUST provide a mechanism for the requesting
JS to indicate which of these forms of permissions it is
requesting. This allows the browser client to know what sort of
user interface experience to provide to the user, including what
permissions to request from the user and hence what to enforce
later. For instance, browsers might display a non-invasive door
hanger ("some features of this site may not work..." when asking
for long-term permissions) but a more invasive UI ("here is your
own video") for single-call permissions. The API MAY grant weaker
permissions than the JS asked for if the user chooses to authorize
only those permissions, but if it intends to grant stronger ones
it SHOULD display the appropriate UI for those permissions and
MUST clearly indicate what permissions are being requested.
However, there's no such affordance in the API and neither Chrome nor Firefox
comply with this. Currently:
- Chrome grants short-term permissions for HTTP and long-term permissions for
HTTPS.
- Firefox by default grants short-term permissions but allows the user to select
long-term permissions if the site is HTTPS.
It seems like some consistency would be nice here.
My personal view is that it would still be nice to require sites to
ask for persistent
permissions if they want them and that there should be a getUserMedia()
flag to indicate that. If people agree with me, I'll file an issue on the media
capture specification to add this affordance. However, if people think this
is wrong, we should remove this requirement in the security architecture
document.
-Ekr
Received on Saturday, 7 March 2015 20:45:25 UTC