(In reply to Johann Hofmann [:johannh] from comment #1)
I don't really understand the threat model behind not just granting for, say, 60 minutes
I didn't want to leave this unanswered: Camera and microphone are used outside of web conferencing. The threat model is non-curated sites spying on users long after they've finished the related activity that prompted camera and microphone use in the first place. Activities may include seemingly temporal ones like taking a photo, scanning a bar code, or recording a voice greeting. Firefox has no reliable hook to know when these activities have ended, other than
track.stop() and tab close.
To compound the problem,
getUserMedia, for web compat reasons, does not require user gesture, so a malicious tab left open and visible may turn on the camera and microphone 59 minutes later to record them or their environment without them even being there.
Safari uses heuristics, which seem to boil down to a long timeout, but we have some indication they might use other signals too like periods without browser focus, laptop wake state, etc. to trigger re-prompt sooner. They also never extend permission past navigation or page refresh, like we're about to.
On the other end of the spectrum is Chrome, which does not appear to attempt mitigating this risk at all. We probably want to be closer to Safari.
So I think bug 1697487 is a good idea.
immediately after user consent.
Tying it to the start of permission would create unnecessary edge cases in long meetings: If they mute after 59 minutes, would they only get a 1 minute grace period? If they mute after 61 minutes, would they get no grace period, or does it reset to another 60 minutes? The amount of time they've been on seems irrelevant.
So tying it to the end of capture, and merely extending the grace period to 60 minutes from then, seems better.