[webrtc-extensions] `getCapabilities` seems to leak hardware capabilities w/o a permission (#54) from Bernard Aboba via GitHub on 2020-11-24 (public-webrtc@w3.org from November 2020)

From: Bernard Aboba via GitHub <sysbot+gh@w3.org>
Date: Tue, 24 Nov 2020 10:29:40 +0000
To: public-webrtc@w3.org
Message-ID: <issues.opened-749580904-1606213779-sysbot+gh@w3.org>

aboba has just created a new issue for https://github.com/w3c/webrtc-extensions:

== `getCapabilities` seems to leak hardware capabilities w/o a permission ==
Moved from the WebRTC-SVC repo: https://github.com/w3c/webrtc-svc/issues/22

Opened by snyderp

Apologies if I'm misreading the spec, but if I'm reading it correctly it looks like a site can learn about the visitors underlying hardware capabilities w/o a permission prompt or some other positive, affirmative action by the visitor.

Is my reading of the spec correct then, there is a FP vector exposed by the current text that would need to be mitigated (e.g. sites couldn't access it by default).

Otherwise, if this is addressed elsewhere, could you kindly point me to where, so I dont make the same mistake twice? :) Thanks!

Please view or discuss this issue at https://github.com/w3c/webrtc-extensions/issues/54 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Tuesday, 24 November 2020 10:29:42 UTC