Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
unsnap_biceps 3 days ago

Can someone describe the feature that this is used for? I struggle to think of any valid reason for automatic joining with audio/video like that.

jeroenhd 2 days ago | parent | next [-]

Matrix embedded Jitsi as their voice/video calling solution for a while, probably still does depending on what client you use. Automatically joining the call when you click the call button just makes sense from a UX perspective.

That said, I can't think of a reason why you'd want to permit it outside of very specific containers. Useful for integration, but outright bad design for a public instance.

ginking 2 days ago | parent | prev | next [-]

I would say it's to reduce friction - only grant permission once, rather than every time you join a jitsi meeting.

morsch 2 days ago | parent [-]

It's not so much about the permissions (which is a browser issue) but about the config.prejoinConfig.enabled flag: usually when joining a meeting, you get an interstitial page which let's you check your webcam image and sound settings before hitting join to enter the call. This setting (passed as a request param) skips that screen.

I'm not a fan, either. I'm used to the interstitial page from other services, and in fact would not expect to join a call and stream data before hitting "join".

Jitsi is used in many custom solutions (which may have their own UI for getting user opt-in, like a customer hitting "Next step" in a registration wizard), I expect that's why they added it.

charcircuit 2 days ago | parent [-]

Even without that enabled. You now have to keep the domain registered forever else an attacker can register the domain start recording people from it since permissions do not reset when site ownership changes.

dathinab 2 days ago | parent [-]

oh yes, that is such a dump design of web permissions

alongside of the abysmal UX for listing/removing them (from a "normal" user POV it's somehwhat usable for someone who understands tech a bit more)

like in general IMHO origin separation over time (e.g. permissions, cache, local storage) should be bound to some public key cryptography schema where the public key is shipped alongside DNS and every time it changes (or disappears) it's treated as a new origin.

So basically HPKP but 1. one key per origin, 2. separate from the TLS key, 3. way less harmful if messed up so actually just fine to use without worry to permanently lock yourself out.

Also maybe 4. crypto likeable to a group of person/company identity public keys detached from TLS and not spoofable by government DNS/TLS takeover attacks. But in a way where this system is added on top instead of being a building block to make it hard for regulators to effectively shut it down. Like I which police all luck to find all the criminals but history non stop shows we can't rely on governments not going crazy and start prosecuting people for just being different without different meaning "actively" hurting other people or entrapping and then persecuting people for having different political (or religious) opinions or other similar nonsense.

dathinab 2 days ago | parent | prev [-]

if it's embedded in another service and you already clicked join etc. through that other service to name one UX flow where an additional pre-join dialog would be not supper wanted

I e.g. would not complain if MS Teams (I have to use for work) would not put me into a pre join dialog every time I click join in Outlook but just joins me with mic muted/camera disabled by default. But then it also wouldn't be a security issue in my case as I put MS Teams and co. into it's own browser window/process/profile (not due to concerns but more as a side effect of them refusing to even trying to work on Firefox and not wanting to miss out on the tab sync + tab group + account container and not being allowed to install arbitrary extensions which add similar functionality to chrome).