Re: [mediacapture-screen-share] Capture-current-tab: Managing capture-ability by cross-origin embedder as opt-in vs. opt-out (#156) from Jan-Ivar Bruaroey via GitHub on 2021-01-19 (public-webrtc-logs@w3.org from January 2021)

From: Jan-Ivar Bruaroey via GitHub <sysbot+gh@w3.org>
Date: Tue, 19 Jan 2021 18:36:47 +0000
To: public-webrtc-logs@w3.org
Message-ID: <issue_comment.created-763040873-1611081406-sysbot+gh@w3.org>

@eladalon1983 Since we ran out of time in the meeting I'm adding some feedback here. I'm going to ignore that we disagree on the security properties of the proposed API for a moment, to see if we can make progress on cropping orthogonally to it:

> From [slides](https://docs.google.com/presentation/d/1crumgYj4eHkjo04faLktPTg0QoYJhTFoosEBudfJBuw/edit#slide=id.g7954c29f8a_2_14)
> <img src="https://user-images.githubusercontent.com/3136226/105072152-84b26000-5a53-11eb-89dc-b2805846624a.png" width="250">

If I understand correctly, a top-level page from site A is capturing its tab and wants to crop the output to only include a sub-region _inside_ a sub-iframe containing a participating site B, Is that right? And cropping needs to be robust and frame-accurate enough to not accidentally share even a split-frame more, to avoid revealing sensitive info like speaker notes?

If so, then this seems problematic on a couple of levels. For one, the iframe may be in a separate process, which might slip up on a frame here and there. And inherently having the party that decides what area should be cropped separate from the source being cropped seems like a dependency that would be hard to manage e.g. requiring different teams to coordinate (no pun intended).

If we don't use explicit coordinates (which I could easily see going out of sync), relying on some agreed-upon `<div>` would also mean adding code to fish out said div from the iframe, and things can go wrong there a well (site B updating the `'id`). Also, site A would not see the `<div>` in site B's page unless they were same orgin.

A safer approach seems to be to arrange for the participating page on site B to be doing the capture itself. It controls its own layout, and can specify a crop region using its own `<div>` easily. Permissions policy would still ensure that the end user perceives the request as coming from site A, so that shouldn't be a problem.

-- 
GitHub Notification of comment by jan-ivar
Please view or discuss this issue at https://github.com/w3c/mediacapture-screen-share/issues/156#issuecomment-763040873 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Tuesday, 19 January 2021 18:36:50 UTC