This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.
The security section should warn people about the risk of having a website that took URL like www.example.com?call=evil or www.example.com?call=+1900-PAY-FLUF. If the site automatically makes that call if example.com had permission, then an advertisement network can display an add that redirects you to this and the users camera will sending stuff and sending it to an attacker.
Changing subject for better readability.
Agree, was thinking about this the other day. We will make changes to our sample apps to prevent this.
The receivers of this info would be web developers, rather than implementers of the spec. Where do we put that kind of info
Proposed fix: https://github.com/w3c/mediacapture-main/pull/9 I'm also suggesting more thorough protections against this type of abuse: http://lists.w3.org/Archives/Public/public-media-capture/2014Aug/0187.html
In the interest of making progress, I propose we add a note of that more feedback is wanted from webappsec on this.
(In reply to Stefan Hakansson LK from comment #5) > In the interest of making progress, I propose we add a note of that more > feedback is wanted from webappsec on this. I've updated PR 9 to that effect.
Merged dom's PR to fix this.