Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

IMO, WebRTC is the technology which will make browsers trump apps. Especially, now as iOS 11 starts shipping with support for it.


I'm a little worried about webcam access in browsers at least as currently implemented (and native apps I suppose but less so)

As it is, in Chrome, if you let a webpage access your camera (or mic) that page gets permanent permission to access the camera whenever it wants forever, no questions asked again. I recently visited one of the early HTML5 Webcam demos that I hadn't visited in over two years. I expected to get asked for permission to access the camera. Instead the camera just came on. That is NOT a good model for web sites that are covered in ads and scripts from all over the net.

I'm sure Google was thinking of supporting hangouts when designing webcam support and for the most part I agree that if hangouts always had access to the camera that might be no worse than a native app. But, it's the browser it's not a native app, it's untrusted code.

Even for communications sites though if I run them in an iframe they get camera permission. In other words, say yes just once and now that domain can follow you all over the net and use your camera, at least as of Chrome 59.

I don't know what the best permission UX is. Always asking seems lame for actual communication websites (messenger, hangouts, slack?, ...) but not asking sucks for the open web. It even sucks on a communications website if the camera feature is not something I use often. I don't want any app to have permission to spy on me. I personally want to opt-in to always ask. I'd prefer this even in native apps but especially for the web.

https://greggman.github.io/doodles/html5-webcam-iframe.html

PS: I filed a bug on this about 5 months ago but no word

https://bugs.chromium.org/p/chromium/issues/detail?id=687834


> As it is, in Chrome, if you let a webpage access your camera (or mic) that page gets permanent permission to access the camera whenever it wants forever, no questions asked again.

Firefox asks if you would like to remember allowing camera access (this appears to be respected when refreshing the page):

http://imgur.com/a/3lbt2

Chrome does not:

http://imgur.com/a/2aSY5


Yes, I mentioned that in the bug report.

I get the feeling camera access should always ask from an iframe period. There should be no "always allow" from iframes.

On top of that, given that many pages use 3rd party scripts from CDNs etc I feel like it's pretty dangerous to give any site permanent permission to access the camera/mic.


Not sure about in the phone, but in the desktop versions, you can click the (i)/Secure icon to the left of the website to review/change your permissions for the site.

For mobile, it looks like you can hit the vertical menu button in the top right, then the (i) icon, then Site Settings...


The example site provided ( https://greggman.github.io/doodles/html5-webcam-iframe.html ) serves an iframe from a different domain so the site settings on the visible page do not affect the actual camera permissions:

Site settings: http://imgur.com/a/JIDeD (note: camera is set to 'block', but there is still the red dot in tab indicating camera access)

Camera usage: http://imgur.com/a/3HXHo (note: different domain listed)


iOS and Android have both had WebRTC support for years now, so I don't see this as a differentiating factor. If anything, apps have the advantage of having access to some very low-level APIs that would allow you to develop your own P2P protocol.


You are wrong. ios does not have support for it. Not in safari nor chrome. I have tested it extensively. It is scheduled for inclusion in next ios release. Chrome and firefox on Android both support it and have for ages.


I don't mean mobile browser support but support for WebRTC within native apps.


Can you expand a bit? Because to me this is non sequitur at best.


Perhaps so. So to be proactive we should all disable WebRTC and hopefully (fat chance) we can stifle it enough that web developers can't rely on it being available.


Not unless you care about performance.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: