Re: [w3ctag/design-reviews] Screen Capture API (2019) (#440) from Jan-Ivar Bruaroey on 2020-03-02 (public-webapps-github@w3.org from March 2020)

From: Jan-Ivar Bruaroey <notifications@github.com>
Date: Mon, 02 Mar 2020 10:51:45 -0800
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/440/593558475@github.com>

(Part 2/2)

> And for 8.2.2., when do you foresee content crossing origins?

If a web site controls both what is being captured and the resulting stream, then it has a power tool to circumvent the same origin policy. See the [blog](https://blog.mozilla.org/webrtc/share-browser-windows-entire-screen-sites-trust/) for an explanation of this exploit.

> On 5.5 device identifiers:

Device identifiers are [not](https://w3c.github.io/mediacapture-screen-share/#device-identifiers) exposed to JS (_"MUST NOT be enumerated by enumeratedevices()"_).

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/440#issuecomment-593558475

Received on Monday, 2 March 2020 18:51:58 UTC