Re: [mediacapture-screen-share-extensions] Consider dropping permission for captured surface control APIs (#14)

> As a compromise, I'm open to considering the inclusion of a permission prompt in the short term, provided we can agree that our long-term goal is to eliminate the need for it once adequate mitigations are in place.

Thank you for proposing this compromise. It works for me. But to be perfectly clear - we agree to **explore** ways to eliminate the policy and/or prompt in the long-term, once we gain real-life data on users' and Web apps' behavior. If the policy and/or prompt are proven unnecessary, we will gladly remove them. But this long-term goal cannot block short-term API shapes that return a Promise, which is necessary for now (see below).

>  Once all browsers reach that level of confidence, we should be able to deprecate the permission or at least reduce its implementation cost.

I agree.

> what if @youennf's proposed API triggered a prompt and instant NotAllowedError?

That is a completely unworkable solution. Please see [this comment](https://github.com/w3c/mediacapture-screen-share-extensions/issues/13#issuecomment-2438079096) for a list of the benefits of an async API that returns a Promise. (There are three quote-response pairs in that comment. I am referring to the middle one.)

> I'm glad we agree that serious click-jacking concerns remain with this API.

We do _not_ agree about that, but since [you propose a compromise](https://github.com/w3c/mediacapture-screen-share-extensions/issues/14#issuecomment-2447910745) which I support - starting with a prompt and considering its removal later - we can bench this discussion.

-- 
GitHub Notification of comment by eladalon1983
Please view or discuss this issue at https://github.com/w3c/mediacapture-screen-share-extensions/issues/14#issuecomment-2457572677 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Tuesday, 5 November 2024 16:00:58 UTC