On 4/16/2012 11:14 AM, Jason Miller wrote:
That is one area where one could trust the app - the only way for it to
gain access to the camera would be to insert the button's DOM node facade
(this is a secure mechanism, because the DOM node is not the button itself,
it is only a placement indicator). The OS then observes the positioning,
determines if the app is trying to obscure the button, and creates the real
UI element.
That being said, is there still a need for the buttons? I thought the
general consensus was that the delay+indicator+permissions was the way to
go?
Delay: so bad I don't know where to begin. :-(
Unstyleable button: We considered this in the early internal
discussions with Boriss about possible ways to avoid/minimize
requester-fatigue. Hell, I was the one who suggested it.
The problem with in-page UI is that it's hard to guarantee - For example
clickjacking: Evil App plops/moves the button down right when/where it
thinks you're going to click - it may be unstyleable, but it may not be
there long enough for you to see it/avoid clicking on it. Yes, you can
try to mitigate those sorts of problems, but it's a bit of a rathole,
and how does the user learn this is the "safe" way to invoke the camera?
Maybe I'm wrong, but I think I'm right. If we do this, we'll need
something similar for 'end call'/'stop-recording', because you don't
want the user to "stop recording" and have the app continue to stream
your video to a server because the app put something that *looked* like
Stop in their page.
As already mentioned, another big problem is that whatever you pick for
the button, it will like not work or work poorly for some class of
apps/users. If you add alternates, you lose the "the user will learn
the standard button" argument (though even that argument has problems IMHO).
I will say that the preview/camera-select/access doorhanger mockup done
by boriss (which we showed at W3 TPAC) got a lot of positive response.
I should also note that WebRTC is trying to make a minimum set of
security requirements, though it leaves the mechanism and UIs up to the
browser. See http://tools.ietf.org/html/draft-ietf-rtcweb-security-02
--
Randell Jesup, Mozilla Corporation
Remove ".news" for personal email
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
