The "no new API" method suggested i nhttps://github.com/w3c/mediacapture-region/issues/11#issuecomment-1123235239 (allowing the capturer to CropTo() to an ID that has not previously been sent to it) will allow a capturer to explore the inner structure of the captured page, without the cooperation of the page (by attempting CropTo() to IDs that are known to be in use by the captured "victim" application and seeing if it succeeds). This may reveal information that is otherwise not available to the capturer. This is the kind of side effect without a security evaluation that I've been warning about when arguing in favor of a new ID scheme. -- GitHub Notification of comment by alvestrand Please view or discuss this issue at https://github.com/w3c/mediacapture-region/issues/11#issuecomment-1123246177 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-configReceived on Wednesday, 11 May 2022 06:42:25 UTC
This archive was generated by hypermail 2.4.0 : Saturday, 6 May 2023 21:19:57 UTC