"Provide per-origin user alerts / prompts and permissions" headings do not accurately reflect the content

[ddorwin]

Both the Security and Privacy sections have mitigations with the heading "Provide per-origin user alerts / prompts and permissions".

The current heading could be interpreted as:

1. The mitigation is to provide alerts or permission prompts.
2. The mitigation is to ensure that any alerts, prompts, or permissions are per-origin.

More importantly, both contain important requirements that extend beyond alerts, prompts, or permissions. The per origin (and per browsing profile) requirements in the following paragraph are an additional mitigation. Certainly those requirements must (#314) be per-origin, but that is not the most important mitigation in these sections.

Specifically:

• https://w3c.github.io/encrypted-media/#security-prompts says, "User agents SHOULD ensure that users are fully informed and/or give explicit consent before a Key System that presents security concerns that are greater than other user agent features (e.g. DOM content) may be accessed by an origin."
• https://w3c.github.io/encrypted-media/#privacy-prompts says "User agents MUST ensure that users are fully informed and/or give explicit consent before using Distinctive Identifier(s) and Distinctive Permanent Identifier(s)."

[mwatson2]

I'm not sure what is proposed to be changed here.

[jdsmith3000]

I agree that #314, #315 and #316 are worthwhile editorial changes.

For this one, I believe we want to change: Provide per-origin user alerts / prompts and permissions

To: Ensure that users are fully informed and/or give explicit consent

[ddorwin]

Yes, that is the type of change I was referring to. I'll make a PR.

[ddorwin]

PR #322.