Re: [mediacapture-region] Should we support strings in addition or in lieu of opaque identifiers? (#46)

As to a specific risk - one I have in mind goes like this:

A major Video Conference app chooses to offer a server based webAPI for co-operating web apps to submit their cropTargets (to avoid cross origin issues). Perhaps it even penalises sites that don't with a user warning or something.

Now suddenly every app that ever wants to be capable of being screenshared without the warning will have to (_speculatively_ because it can't know the user intent to capture it) _always_ send cropTargets to the video conference server's API for _every_ user session - even if this user has never and will never use that conference server. 
As a reward the conference app gets detailed usage stats for all screen-shareable apps. This is not a good thing IMHO and we should not set up a situation which permits such leverage.

None of this happens with an opaque token because unless the user actually has a session with the videoconference app, there is nowhere to post message the token to, so no stats can be collected.

GitHub Notification of comment by steely-glint
Please view or discuss this issue at using your GitHub account

Sent via github-notify-ml as configured in

Received on Friday, 24 June 2022 10:29:23 UTC