getUserMedia has now been deprecated on non-https connections?

4

This morning I updated my Google Chrome on Ubuntu.

When I went to test the part of the system (local) where we took a picture of webcam , instead of displaying the authorization message to access webcam , I received the following message in the browser console: p>

  

getUserMedia () is deprecated on insecure origins, and support will be removed in the future. You should consider switching your application to secure origin, such as HTTPS.

Translating is

  

getUserMedia () is obsolete about the unsafe sources and support will be removed in the future. You should consider moving your application to a secure source, such as HTTPS.

Do all systems that use getUserMedia have to be changed to HTTPS because of this?

What is the reason for removing support for getUserMedia on non-https sites?

Update

I get this message on my Google Chrome today:

  

getUserMedia () no longer works on insecure origins. To use this feature, you should consider switching your application to secure origin, such as HTTPS

Already blocking the use of the camera's capture / microphone functionality.

And yet I'd like to know the danger of using these features on non-https connections (I do not like to say "unsafe").

    
asked by anonymous 29.10.2015 / 12:14

1 answer

2

The Chromium project has announced this change to adapt to the new W3C standard which mandates that any powerful feature has its limited use through secure authentication environments.

The W3C itself admits that simply requiring HTTPS for such features is not enough to guarantee end-user security, however it establishes such a standard as a prerequisite for building a safer Internet. The determination is that any application that has access to sensitive data is offered with the minimum of authenticated security (HTTPS).

While the policy does not prevent malicious developers from delivering harmful content to end users, it at least tries to prevent more often that Man-In-Kind attacks inject malicious scripts onto their web page to acquire sensitive data from their users.

Before such a change could happen, one needed to discuss what characterizes powerful features in the Web context. In short, it has been defined as a powerful resource any and all code offers access to: >

  • Sensitive Information (Personal Information, Credentials, Payments, etc.)
  • Access to sensors (geolocation, webcam, camera, etc.)
  • Information from other devices (Bluetooth, Wireless, etc.)
  • Stored Sessions
  • Appeal that can request user permission
  • Among others.

Note: I think it's worth adding that Chrome offers a flag that allows you to treat unsafe sites as safe for testing purposes. Just run Chrome using the --unsafely-treat-insecure-origin-as-secure="example.com" flag (replacing example.com with your domain of interest).

References:

13.01.2016 / 20:06