- From: cowwoc <cowwoc@bbs.darktech.org>
- Date: Tue, 26 Nov 2013 18:30:27 -0500
- To: Martin Thomson <martin.thomson@gmail.com>
- CC: Justin Uberti <juberti@google.com>, "public-webrtc@w3.org" <public-webrtc@w3.org>
On 26/11/2013 4:22 PM, Martin Thomson wrote: > On 26 November 2013 12:36, cowwoc <cowwoc@bbs.darktech.org> wrote: >> Okay, good. So the next question is: what is different between the >> install-time consent box and the one that pops up for each sharing request? > I'm an advocate for zero popups. Having the site trigger a consent > dialog reduces the value of the consent thus obtained. Even though it > might not be modal and require user interaction, it still effectively > inserts itself into the path for a user's goal-seeking behaviour. > It's attention-grabbing, so users will learn to click there. > > A more effective approach, one that is shared by a number of > applications that offer screen sharing, is to force the user to > actively seek screen sharing options. If the browser offered a menu > item somewhere that said "Share Screen/Application..." and the user > sought that menu item and selected it, then I might have a better > sense that this is their intent. Even better if that then produced a > selection dialog whereby the user could select between "everything > that I see" and "just a specific application" (and maybe "just a > specific browser tab"), as long as there was a prominent "oops, > nevermind, cancel" button there. Doing this could maybe fire Justin's > proposed "sourceschanged" event, upon which the application could > request the screen share source. > > Justin's proposed "app install" approach here forces the same sort of > interaction model. The first time. That's why I'm less enthusiastic > about having that as a requirement. But you know what? That's OK. > We don't actually need to standardize this part. Browsers will do > what they think best when it comes to UX and I'm glad that Justin is > taking this seriously. At least he isn't leaving sharp pointy objects > lying around. Okay, so you're saying that websites (such as bank.com) should be able to specify whether they are willing to show up in screen-capture sessions? That would work, but I don't like the fact that legitimate-capture.com has to wait for bank.com to give it access to screen capture. Banks are not going to grant access to anyone but themselves and I question whether this is really something banks should decide on behalf of the user. What about the other idea I brought up above? How about popping up a consent box any time a cross-site request is made? For example: "screen-capture.com would like to record you accessing bank.com. Do you want to allow screen-capture.com to access your bank.com account information?" Users would get asked once, and the browser would remember their decision. I'm flexible with the look of the consent box. I believe you proposed having the user navigate to a menu item and explicitly choose which part of the site they wish to share. I'm fine with that. I just want to see if there is consensus for requesting permission for cross-site access. Basically I'm saying that cross-site access requires CORS, but cross-site access + capture requires CORS + user consent. Gili
Received on Tuesday, 26 November 2013 23:31:28 UTC