Temasys
Preserving granted device permissions in IE
Currently every time the getUserMedia function is called – the Temasys WebRTC Plugins asks the user for device permissions in system pop-up window.
What is the way to preserve granted permissions in order to not annoy users?
There is currently on way of doing that with the free plugin, and this is for security reasons. The plugin is a .dll and can be called from any program. In order to protect our customer, we decided to keep this permission popup activated.
If you really need to remove the popup, you can take a look at our whitelist feature, but this is part of our paid plugin. You can contact [email protected] for more information.
JO,
in the spec, for security, it is written that if a given origin/url is accessed over HTTPS, the permissions persist for 30 days. I think we should implement that as well.
Alex.
On Thu, Apr 9, 2015 at 1:43 AM, Jacques-Olivier Haché < [email protected]> wrote:
Closed #64 https://github.com/Temasys/AdapterJS/issues/64.
— Reply to this email directly or view it on GitHub https://github.com/Temasys/AdapterJS/issues/64#event-276508428.
Alex. Gouaillard, PhD, PhD, MBA
CTO - Temasys Communications, S'pore / Mountain View
President - CoSMo Software, Cambridge, MA
sg.linkedin.com/agouaillard
I agree with that. Whoever, this is supposing that the feature is secured in the web browser. In the case of the plugin, the dll can be called by anyone at anytime. I don't think it would be impossible to trick the plugin in thinking it is on a given website when it is actually in some malware.
I see a security breach here that might not be worth following the specs... What do you think @agouaillard
I don t think there is a security issue. We should reproduce As much as possible the browsers' behavior
On Thu, Apr 9, 2015 at 4:10 AM, Jacques-Olivier Haché < [email protected]> wrote:
I agree with that. Whoever, this is supposing that the feature is secured in the web browser. In the case of the plugin, the dll can be called by anyone at anytime. I don't think it would be impossible to trick the plugin in thinking it is on a given website when it is actually in some malware.
I see a security breach here that might not be worth following the specs... What do you think @agouaillard https://github.com/agouaillard
— Reply to this email directly or view it on GitHub https://github.com/Temasys/AdapterJS/issues/64#issuecomment-91038291.
Alex. Gouaillard, PhD, PhD, MBA
CTO - Temasys Communications, S'pore / Mountain View
President - CoSMo Software, Cambridge, MA
sg.linkedin.com/agouaillard
I want to introduce the option to add a checkbox that in case of SSL secured websites allows the user to decide if he wants to save his selection, considering a potential malware case.
We repeat that often in the standard committee: giving a choice is only good if the user understand the choice. Otherwise, they always click yes, without understanding the consequences. it is our responsibility not to given them a shotgun. In this case though, you know from which executable you re being launched (you could check it s safari), you also have access to the DOM, so you know on which page you are, hence the origin. I can not think of a single scenario we cannot check against.
On Thu, Apr 9, 2015 at 10:31 AM, Thomas Gorissen [email protected] wrote:
I want to introduce the option to add a checkbox that in case of SSL secured websites allows the user to decide if he wants to save his selection, considering a potential malware case.
— Reply to this email directly or view it on GitHub https://github.com/Temasys/AdapterJS/issues/64#issuecomment-91105632.
Alex. Gouaillard, PhD, PhD, MBA
CTO - Temasys Communications, S'pore / Mountain View
President - CoSMo Software, Cambridge, MA
sg.linkedin.com/agouaillard
I'd have the checkbox not checked by default. I'd rather give them a shotgun than having them shoot with it straight away to stick with your example ;)
Is there any update on this? AFAIK Safari and IE both prompt users before a plugin can be used on a specific domain anyways, so even if a malicious site was able to trick the plugin into thinking it was an accepted site (though I'm not sure how it would do that. Can't the plugin query the origin from the browser?) the user would have to authorize the plugin to run on the malicious site.
