On Sun, Sep 7, 2014 at 11:45 PM, Henri Sivonen <hsivo...@hsivonen.fi> wrote:
> On Fri, Sep 5, 2014 at 4:15 PM, Eric Rescorla <e...@rtfm.com> wrote: > > > > > > > > On Fri, Sep 5, 2014 at 3:34 AM, Henri Sivonen <hsivo...@hsivonen.fi> > wrote: > >> > >> On Fri, Sep 5, 2014 at 1:25 PM, Robert O'Callahan <rob...@ocallahan.org > > > >> wrote: > >> > On Fri, Sep 5, 2014 at 10:19 PM, Henri Sivonen <hsivo...@hsivonen.fi> > >> > wrote: > >> >> Is current gUM restricted to authenticated origins? If it isn't, is > it > >> >> realistic to restrict it to authenticated origins? > >> > > >> > That's a good idea but it's a separate issue. > >> > >> Is it already being pursued or should I file a bug? > > > > > > It's not being pursued. It was considered in the WG and rejected. > > Do *you* think the WG's stance on this was and continues to be the > right call for our users > Eh.. Not sure. AFAIK, there's not much of a reason why arbitary sites shouldn't be able to access your camera and microphone, provided that you're not placing trust in the site to do anything in particular with your data. With that said, I wouldn't be upset if HTTPS was required here, and at one point I argued for that for PeerConnection on the grounds that the apparent security properties weren't the real ones. > Do you have a pointer to the WG's rationale for the rejection? I tried > to search for it, but I failed to find either a decision or rationale. > The closest I could find was > https://www.w3.org/Bugs/Public/show_bug.cgi?id=22214#c3 , which treats > https origins as special and says that stored permissions should only > be available for them. It was less a rationale than a lack of people being convinced. I raised it once or twice and there were a lot of people strongly opposed, and since the default is that things work on HTTP, that's where it stayed. -Ekr _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform