I wrote: >There's also the "how" we do preview in a shader. Normally, for >streaming preview we'd use getUserMedia() (which is where we can hook >permissions, camera selection, etc) and take the MediaStream and feed it >to whatever (video elements, peerconnections, etc). I presented a slide >deck at the IETF RTCWEB interim in Feb. on "MediaStream Security" where >we proposed using cross-origin protections to protect the data in a >mediastream from untrusted JS apps (and even allow MediaStream >Processing in JS workers, sandboxed by cross-origin protections against >feeding data back to the app from the JS worker).
Since some have asked: http://www.w3.org/2011/04/webrtc/wiki/images/a/a3/MediaStream_Security_1.pdf Asks more questions than it answers, but may help you understand a few of the open security issues around browser-to-browsers calls, especially with untrusted JS code. (Note that the Threat Model for rtcweb (IETF's part of WebRTC) is the JS code is untrusted and may be evil or compromised; see the IETF security drafts for rtcweb for details.) -- Randell Jesup, Mozilla Corp remove ".news" for personal email _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
