As to a specific risk - one I have in mind goes like this: A major Video Conference app chooses to offer a server based webAPI for co-operating web apps to submit their cropTargets (to avoid cross origin issues). Perhaps it even penalises sites that don't with a user warning or something. Now suddenly every app that ever wants to be capable of being screenshared without the warning will have to (_speculatively_ because it can't know the user intent to capture it) _always_ send cropTargets to the video conference server's API for _every_ user session - even if this user has never and will never use that conference server. As a reward the conference app gets detailed usage stats for all screen-shareable apps. This is not a good thing IMHO and we should not set up a situation which permits such leverage. None of this happens with an opaque token because unless the user actually has a session with the videoconference app, there is nowhere to post message the token to, so no stats can be collected. -- GitHub Notification of comment by steely-glint Please view or discuss this issue at https://github.com/w3c/mediacapture-region/issues/46#issuecomment-1165437485 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-configReceived on Friday, 24 June 2022 10:29:23 UTC
This archive was generated by hypermail 2.4.0 : Saturday, 6 May 2023 21:19:57 UTC