Re: [w3ctag/design-reviews] Screen Capture API (2019) (#440) from Jan-Ivar Bruaroey on 2020-03-02 (public-webapps-github@w3.org from March 2020)

From: Jan-Ivar Bruaroey <notifications@github.com>
Date: Mon, 02 Mar 2020 10:41:26 -0800
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/440/593553700@github.com>

Hi, and thanks! I'm happy to elaborate since the privacy issues aren't super evident. (Part 1/2)

> For 8.2.1., what is active user consent (perhaps it's asking for a permission?),

In short, yes. It's one of two forms of mandated [consent interactions](https://w3c.github.io/mediacapture-screen-share/#authorizing-display-capture); the one required regardless of source. This spec tries hard to not assume what shape UX might take, hence these abstractions.

Example: all current implementations implement a screen/window/tab picker, which imply giving permission much like a file upload dialog does.

> and how is it different to the "novelty" mentioned in 8.2.3?

It should be less severe/novel than the [elevated permission](https://w3c.github.io/mediacapture-screen-share/#dfn-elevated-permissions) required for [scary](https://blog.mozilla.org/webrtc/share-browser-windows-entire-screen-sites-trust/) sources.

Importantly, _"elevated permissions are not a substitute for active user consent."_ In other words: sharing a scary source requires ***both*** [elevated permission](https://w3c.github.io/mediacapture-screen-share/#dfn-elevated-permissions) ***and*** [active user consent](https://w3c.github.io/mediacapture-screen-share/#dfn-active-user-consent).

Elevated permission example: an installation procedure akin to installing an extension, where the user understands they're making a high-trust special exception. At the time of writing years ago, Chrome still required installation of an extension to enable screen sharing, and Firefox required an about:config whitelist of websites (i.e. an extension).

Since then, implementations have lowered the bar:
 1. Firefox shows a ⚠️ warning in the preview pane (seen [here](https://blog.mozilla.org/webrtc/share-browser-windows-entire-screen-sites-trust/)) of scary sources only.
 2. Chrome makes no distinction (in violation of the spec in my opinion).

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/440#issuecomment-593553700

Received on Monday, 2 March 2020 18:41:39 UTC