Intent to Remove: Insecure origin usage of getUserMedia()
(security-dev@ to BCC as an FYI; discussion should remain on blink-dev@)
Primary eng (and PM) emails
Link to “Intent to Deprecate” thread
https://groups.google.com/a/chromium.org/d/msg/blink-dev/2LXKVWYkOus/gT-ZamfwAKsJ
Summary
We want to start applying the concepts in https://w3c.github.io/webappsec/specs/powerfulfeatures/ to features that have already shipped and which do not meet the (new, not present at the time) requirements. This is an intent to remove specifically for getUserMedia() on insecure origins.
Motivation
It is of very low use.
Compatibility Risk
Describe the degree of compatibility risk you believe this change poses. Please indicate how long the API has been supported by Chrome and the feature’s status in other browsers.
Usage information from UseCounter
On insecure origins (to remove): https://www.chromestatus.com/metrics/feature/popularity#GetUserMediaInsecureOrigin
On secure origins (to remain):
https://www.chromestatus.com/metrics/feature/popularity#GetUserMediaSecureOrigin
getUserMedia() on insecure origins is used on 0.0009%, below the 0.03% deprecation level. Given that it is used on secure origins on 0.0212% of page loads, that means that it accounts for ~%4 of page loads that use getUserMedia(). Given the rather large privacy risks of video and sound from the client over insecure channels, this seems to us to be well worth the compatibility risk.
OWP launch tracking bug
Entry on the feature dashboard
I believe this fits under the already existing getUserMedia entry: https://www.chromestatus.com/features/6067380039974912
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
Non-OWNER's LGTM. Thanks for moving this forward, Joel. Looking forward to the steady drumbeat of deprecations and removals that you're surely planning.
lgtm2