W3C home > Mailing lists > Public > public-webrtc-logs@w3.org > June 2022

Re: [mediacapture-region] Should we support strings in addition or in lieu of opaque identifiers? (#46)

From: Tim Panton via GitHub <sysbot+gh@w3.org>
Date: Fri, 24 Jun 2022 10:29:22 +0000
To: public-webrtc-logs@w3.org
Message-ID: <issue_comment.created-1165437485-1656066560-sysbot+gh@w3.org>
As to a specific risk - one I have in mind goes like this:

A major Video Conference app chooses to offer a server based webAPI for co-operating web apps to submit their cropTargets (to avoid cross origin issues). Perhaps it even penalises sites that don't with a user warning or something.

Now suddenly every app that ever wants to be capable of being screenshared without the warning will have to (_speculatively_ because it can't know the user intent to capture it) _always_ send cropTargets to the video conference server's API for _every_ user session - even if this user has never and will never use that conference server. 
As a reward the conference app gets detailed usage stats for all screen-shareable apps. This is not a good thing IMHO and we should not set up a situation which permits such leverage.

None of this happens with an opaque token because unless the user actually has a session with the videoconference app, there is nowhere to post message the token to, so no stats can be collected.

-- 
GitHub Notification of comment by steely-glint
Please view or discuss this issue at https://github.com/w3c/mediacapture-region/issues/46#issuecomment-1165437485 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 24 June 2022 10:29:23 UTC

This archive was generated by hypermail 2.4.0 : Saturday, 6 May 2023 21:19:57 UTC