Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add security-privacy-questionnaire.md #242

Merged
merged 4 commits into from
Aug 6, 2020
Merged

Add security-privacy-questionnaire.md #242

merged 4 commits into from
Aug 6, 2020

Conversation

riju
Copy link
Collaborator

@riju riju commented Aug 4, 2020
edited
Loading

Fixes #172

@riju riju mentioned this pull request Aug 4, 2020
Closed
@riju
Copy link
Collaborator Author

riju commented Aug 4, 2020

@jan-ivar : PTAL

jan-ivar
jan-ivar reviewed Aug 5, 2020
View reviewed changes
security-privacy-questionnaire.md Outdated
### 06. What information from the underlying platform, e.g. configuration data, is exposed by this specification to an origin?
No particular additional information is exposed about the camera hardware, like brand, etc, however we do expose if the platform has support for the constainable properties.
No particular additional information is exposed about the camera hardware, like brand, etc, however we do expose if the platform has support for the constainable properties.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would add:

"A site with permission to one or more cameras will be able to probe the existence of these new capabilities on those cameras, by passing constraints to getUserMedia or track.applyConstraints. The new capabilities are:" (and then list them).

Also:

"A site without camera permission may be able to probe the lack of a capability from the user's total set of cameras, but by doing so risks causing a user-facing prompt if the capability is available. This helps provide browsers with information about a site's camera needs when prompting the user, while deterring tracking libraries from attempting to use the API without detection."

About pan-tilt-zoom permission: if I'm reading the spec right, the mere mention of pan, tilt or zoom in a constraints-set should trigger a prompt for pan-tilt-zoom permission, even if it ends up finding zero devices, is that correct? Is that how it's implemented in Chrome or other browsers? If so, then there's no added pre-prompt exposure from those three properties, otherwise there would be.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Chrome does not request a pan-tilt-zoom camera permission (but only a normal camera permission) if there are no pan-tilt-zoom cameras.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Isn't track.applyConstraints an overly complex method to probe existence of capabilities when there are track.getCapabilities and track.getSettings for exacly that kind of probing?

security-privacy-questionnaire.md Outdated Show resolved Hide resolved
@riju riju marked this pull request as ready for review August 6, 2020 13:28
@riju
Copy link
Collaborator Author

riju commented Aug 6, 2020

@eehakkin , @beaufortfrancois and @jan-ivar : I am merging the first draft of this questionnaire as we need to discuss this in the WebRTC - editors meeting. We can correct / append this in the coming days.

@riju riju merged commit b7f54bb into w3c:master Aug 6, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eehakkin eehakkin eehakkin left review comments

@jan-ivar jan-ivar jan-ivar left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Fill Security & Privacy questionnaire #122
3 participants
@riju @eehakkin @jan-ivar