Re: [mediacapture-region] Why expose produceCropTarget at MediaDevices level? (#11)

Note that capture is routinely used for capturing the output of frames that have no idea they are being captured. So (until this proposal) they have no reason to worry about whether someone else can read their element IDs.

For instance, I see that in https://w3c.github.io/mediacapture-main/getusermedia.html# the respec button has the id "respec-pill", while section 10.1 has the id "x10-1-legacy-interface-extensions"; its text body has no ID. Somewhat guessable, thus somewhat amenable to probing.

I don't know if IDs expose information like the version number of bank sign-on embeds that can be used to scan for vulnerable versions. But I don't know that they don't - the page author has no reason to believe that those elements are cross-origin exposed.

Pages that want certain parts of the page to be focusable should be able to make an explicit decision to do so.



-- 
GitHub Notification of comment by alvestrand
Please view or discuss this issue at https://github.com/w3c/mediacapture-region/issues/11#issuecomment-1125798564 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Friday, 13 May 2022 08:38:04 UTC