- From: Elad Alon via GitHub <sysbot+gh@w3.org>
- Date: Thu, 22 Apr 2021 20:45:25 +0000
- To: public-webrtc-logs@w3.org
I recognize the benefits of requiring `cross-origin isolation + opt-in`, as well as the deficiencies of stand-in security measures. It is for that reason that I have not fully formed an opinion on the matter. I know malicious sites regularly mislead users with false promises of salacious media content and free cryptocurrency. I can imagine how such a site could trick the user into grabbing a screenshot. For example, by feigning breakage right before the advertised payoff moment, then suggesting the user file feedback, purporting this would lead to a human operator interceding and unlocking the coveted prize. It is unclear to me if such attacks require inordinate credulity of the user, beyond what we can reasonably protect against[*], or if these attacks are within our mandate to stop. I might also be overlooking stronger social-engineering attacks. There are people at Google whose job it is to make such judgements, and I intend to seek their counsel before taking a position. -- [*] Under the assumption that this protection comes at the cost of greatly inconveniencing legitimate users by blocking access to useful APIs under legitimate scenarios. -- GitHub Notification of comment by eladalon1983 Please view or discuss this issue at https://github.com/w3c/mediacapture-screen-share/issues/160#issuecomment-825173222 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 22 April 2021 20:45:28 UTC