- From: Elad Alon via GitHub <sysbot+gh@w3.org>
- Date: Fri, 03 Sep 2021 08:42:08 +0000
- To: public-webrtc-logs@w3.org
> If we follow the advice in 1. - should this apply to just the requesting tab, or to all tabs with the same origin? > Same-origin tabs have the ability to manipulate each other, so a trivial workaround for this restriction would be to open up another tab in which to do the dastardly deeds before calling getDisplayMedia. The same workaround could be applied with tabs that only **appear** to not be same-origin. Namely: * evil.com runs in tab1 and opens collaborator.com in a new tab - tab2. * collaborator.com embeds a "mailman" iframe with an evil.com document. * Technically speaking, these tabs are not same-origin. * Practically speaking, collaborator.com, in tab2, can postMessage() to the "mailman" evil.com iframe, which can use a BroadcastChannel to shuttle these messages to the evil.com document in tab1. Because of this, I think the recommendation need not apply to same-origin other tabs. -- GitHub Notification of comment by eladalon1983 Please view or discuss this issue at https://github.com/w3c/mediacapture-screen-share/issues/184#issuecomment-912368482 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 3 September 2021 08:42:10 UTC