On Fri, Apr 26, 2013 at 8:56 PM, Paul Theriault <[email protected]> wrote: > In bug 853356, there is some discussion around the permission granting > mechanism to allow content to ask for microphone access via getUserMedia. The > current plan is to use a prompt & permission combination similar to the way > geolocation is handled. To me this API is much more sensitive than > geolocation, and needs stronger mitigation. > > Some thoughts for discussion: > > 1. Current FirefoxOS prompts can not be ignored > Prompts on b2g are modal and can not be ignored - the user must choose one > way or another. Compare this to the door hanger approach for getUserMedia on > desktop: if the user simply ignores the prompt it goes away. I would like to > see "safe if ignored" style of permission request on FirefoxOS for this use > case if possible to prevent the user accidentally making the wrong choice.
The tricky questions here are mostly UX related (as I find most security questions to be these days). It's hard to fit a door-hanger-style prompt on a small-screen device. And it's even harder to do so when we don't really have anyplace to hang it off of. But we can probably do interesting things here by using the status bar and the notification center maybe? Another interesting question here is if we should allow apps to display their own door-hanger notifications. I.e. should the browser app be able to create a door-hanger the way that we do on Firefox for Android? And if so, how does that interact with a system-level notification? > 2. Current permission indicators are not strong, or always present > For untrusted content, there needs to be some trusted indicator that the > camera/microphone is enabled. At the moment we have small icons in the > taskbar for some permissions but in this case I think we need something more > obvious like a red bar or something that is present for the duration of > recording. (something similar to the call background indicator perhaps) We talked a lot about this about a year ago when it comes to camera. The best proposals that I saw are similar to what you are proposing here. Basically ensure that the status bar is visible (i.e. disable "fullscreen") and put a clear indicator there that recording is happening. > 3. The user needs a way to turn off video/audio > The user needs a trusted way to know that video/audio is disabled. The > permission is revoked when the window (app) is closed, but how does the user > know which app is using the camera/mic? Obvious idea would be that tapping > the recording indicator takes you to the app which is using the permission, > so you can turn it off in the app, or close the app. > However I also worry that the UI to close an app isnt very discoverable (long > press on home, swipe up on app thumbnail). So maybe we need something more > explicit here (perhaps combined with the notification from 2.) If we put an indicator in the status bar, I think it'd be great if we could at the same time put something in the notification center. The status bar is really too small to interact with. If the user can pull down the notification center and there see a clear widget which shows which app is using the microphone right now, and have a button in that widget which turns off the microphone, then we wouldn't even need to kill the app. > Finally, I imagine that we might provide less intrusive UI for privileged or > certified apps, but exactly what depends on the UI for web content, and the > privileged/certified use cases. The less we do this the happier I am. It's always a bad sign when we feel that the platform we create for 3rd party developers isn't good enough for us. One solution might be to for now give ourselves the permission to not have the force-display status bar when camera or microphone is on. And once we feel more comfortable with our review system allow privileged apps to get the same right, after the usual review of course. / Jonas _______________________________________________ dev-b2g mailing list [email protected] https://lists.mozilla.org/listinfo/dev-b2g
