[mediacapture-screen-share] Forbid getDisplayMedia in top-level browsing context by default? from Jan-Ivar Bruaroey via GitHub on 2018-11-15 (public-webrtc-logs@w3.org from November 2018)

From: Jan-Ivar Bruaroey via GitHub <sysbot+gh@w3.org>
Date: Thu, 15 Nov 2018 18:28:25 +0000
To: public-webrtc-logs@w3.org
Message-ID: <issues.opened-381285870-1542306499-sysbot+gh@w3.org>

jan-ivar has just created a new issue for https://github.com/w3c/mediacapture-screen-share:

== Forbid getDisplayMedia in top-level browsing context by default? ==
Right now, [our feature policy](https://w3c.github.io/mediacapture-screen-share/#feature-policy-integration)'s default allowlist is `"self"`, disallowing calls from iframes only.

Since `getDisplayMedia` could be used maliciously to [violate "the Web security model"](https://tools.ietf.org/html/draft-ietf-rtcweb-security-10#section-4.1.1), should it be [`"none"`](https://wicg.github.io/feature-policy/#default-allowlists)?

This would protect web sites with no interest in this API from exposure, e.g. from injection attacks.

cc @youennf, @martinthomson 

Please view or discuss this issue at https://github.com/w3c/mediacapture-screen-share/issues/90 using your GitHub account

Received on Thursday, 15 November 2018 18:28:32 UTC