- From: Eric Rescorla <ekr@rtfm.com>
- Date: Sat, 7 Mar 2015 12:44:16 -0800
- To: "public-webrtc@w3.org" <public-webrtc@w3.org>, "rtcweb@ietf.org" <rtcweb@ietf.org>
- Message-ID: <CABcZeBP8g2FzGDLztq2ZucsTqvOJVaB4txc1b0uWA6nQWgppCQ@mail.gmail.com>
https://tools.ietf.org/html/draft-ietf-rtcweb-security-arch-10#section-5.2 requires that JS be able to ask for short or long-term permissions grants: API Requirement: The API MUST provide a mechanism for the requesting JS to indicate which of these forms of permissions it is requesting. This allows the browser client to know what sort of user interface experience to provide to the user, including what permissions to request from the user and hence what to enforce later. For instance, browsers might display a non-invasive door hanger ("some features of this site may not work..." when asking for long-term permissions) but a more invasive UI ("here is your own video") for single-call permissions. The API MAY grant weaker permissions than the JS asked for if the user chooses to authorize only those permissions, but if it intends to grant stronger ones it SHOULD display the appropriate UI for those permissions and MUST clearly indicate what permissions are being requested. However, there's no such affordance in the API and neither Chrome nor Firefox comply with this. Currently: - Chrome grants short-term permissions for HTTP and long-term permissions for HTTPS. - Firefox by default grants short-term permissions but allows the user to select long-term permissions if the site is HTTPS. It seems like some consistency would be nice here. My personal view is that it would still be nice to require sites to ask for persistent permissions if they want them and that there should be a getUserMedia() flag to indicate that. If people agree with me, I'll file an issue on the media capture specification to add this affordance. However, if people think this is wrong, we should remove this requirement in the security architecture document. -Ekr
Received on Saturday, 7 March 2015 20:45:25 UTC