- From: Jan-Ivar Bruaroey via GitHub <sysbot+gh@w3.org>
- Date: Wed, 13 Nov 2024 17:08:33 +0000
- To: public-webrtc-logs@w3.org
> Could you clarify the "serious" attack vectors, and why the existing mitigations appear to you insufficient?
What mitigations?
The threat vector would be a malicious website that cajoles the user into sharing a tab of interest, then _"attempts to click-jack scrolling input"_ to _"induce over-scroll"_ or hijacks zoom controls to zoom all the way out. Both are means to attempt to capture as much of the document as quickly as possible.
If the captured tab is a google doc or presentation, the difference between capturing the first slide and the entire doc can be substantial, and lost on the casual user.
> Real, serious risks call for mitigations that work.
Mitigations of unreal risks limit Web developers and users (who would otherwise have benefited of features).
Flawed mitigations, that fail to limit abuse, nevertheless hurt honest Web developers, forcing them to contort their applications into strange shapes, rendering them expensive to develop and maintain.
>
> In the case at hand, the mitigation proposed ("limit scope... to live, user-visible...") falls short of a robust definition of "user-visible and stable video". This has been discussed in multiple other threads, such as https://github.com/w3c/mediacapture-surface-control/issues/48.
I think you're jumping ahead here. I think we should be able to agree on the problems before discussing solutions.
Between this and #48 we should be able to agree on the threats. Because without threats there's no need for permission either.
None of your links work BTW.
--
GitHub Notification of comment by jan-ivar
Please view or discuss this issue at https://github.com/w3c/mediacapture-surface-control/issues/41#issuecomment-2474236287 using your GitHub account
--
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 13 November 2024 17:08:34 UTC