[mediacapture-surface-control] Consider dropping permission for captured surface control APIs (#48) from Jan-Ivar Bruaroey via GitHub on 2024-11-13 (public-webrtc-logs@w3.org from November 2024)

From: Jan-Ivar Bruaroey via GitHub <sysbot+gh@w3.org>
Date: Wed, 13 Nov 2024 08:35:15 +0000
To: public-webrtc-logs@w3.org
Message-ID: <issues.opened-2654669749-1729515344-sysbot+gh@w3.org>

jan-ivar has just created a new issue for https://github.com/w3c/mediacapture-surface-control:

== Consider dropping permission for captured surface control APIs ==
Let's continue discussion from https://github.com/screen-share/captured-surface-control/issues/27 here where other members can contribute.

The choice of requiring permission influences API design, like requiring methods over attributes,  but this is of secondary concern.

We should first agree on whether permission is required or not for scrolling and/or zoom features. This should be based on threat vectors and UX concerns, and what the guidelines say around that. I mention some of them in https://github.com/screen-share/captured-surface-control/issues/27#issuecomment-2422656144:

> ... Let's look to the guidelines for help.
> 
> [§ 2.10. Require user activation for powerful APIs](https://w3ctag.github.io/design-principles/#require-user-activation) says _"user activation ... is not always sufficient to protect users from invasive behaviours, and seeking [meaningful consent](https://w3ctag.github.io/design-principles/#consent) is also important."_
> 
> _"not always"_ = sometimes. So there's a chance we're good, since we implement something even stronger than [consuming activation](https://html.spec.whatwg.org/#activation-consuming-api) here. The question is:
> 
> Is meaningful consent required here? [§ 1.4. Ask users for meaningful consent](https://w3ctag.github.io/design-principles/#consent) says: _"If a useful feature has the potential to cause harm to users, ... make sure ... they can refuse consent effectively."_
> 
> Do we feel buttons that (when interacted with) can scroll down or zoom a captured tab all the way out reaches a level of harm? Possibly, since this might reveal more webpage information than the user expected.
> 
> But it also says: _"If a feature is powerful enough to require user consent, but it’s impossible to explain to a typical user what they are consenting to, that’s a signal that you may need to reconsider the design of the feature."_

Should we work on mitigating these risks directly?

Do we need to pull in the full permission machinery with delegated permissions, query and the like, or might giving UAs the option to throw `NotAllowedError` suffice?


Please view or discuss this issue at https://github.com/w3c/mediacapture-surface-control/issues/48 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 13 November 2024 08:35:15 UTC