Re: [mediacapture-screen-share] Let pages opt-in to capture. (#155)

> two new requirements - (1) site-isolation and (2) a new header. 

@elad Great to hear! — To clarify, By _"site-isolation"_ do you mean COOP+COEP or just COEP? — I don't think COOP matters here, except making it simpler to talk about perhaps (mapping 1-1 with [window.crossOriginIsolated](

> Resources are same-process with their embedding document, and therefore cannot reasonably expect to be fully protected from readability by those documents.

I shudder using Spectre as a reason, but probably true. 👻

I think I'm ok with it. I [wan't planning to require]( headers for resources either. cc @annevk @mystor

To clarify what we're talking about, these are resources that set `Cross-Origin-Resource-Policy = "cross-origin"` but not `Access-Control-Allow-Origin`, keeping their opaqueness, yet would be captured by this feature. 

E.g. *"image2 canvas data CANNOT be read"* in this [example]( (`/corp/logo.png` served [here](!/complex-fate-zone?path=server.js%3A18%3A50)).

But I'm not 100% sure this isn't a problem. Are there sites out there serving personal info from cookies this way, relying on it being opaque? — A malicious site tricking a user for this permission could quickly steal personal info from all over the web this way. But as you point out, the same malicious site could use Spectre for this today without permission.

GitHub Notification of comment by jan-ivar
Please view or discuss this issue at using your GitHub account

Sent via github-notify-ml as configured in

Received on Wednesday, 24 March 2021 00:00:21 UTC