- From: Elad Alon via GitHub <sysbot+gh@w3.org>
- Date: Thu, 14 Nov 2024 12:24:38 +0000
- To: public-webrtc-logs@w3.org
> What mitigations? The ones listed [here](https://w3c.github.io/mediacapture-surface-control/#privacy-and-security-considerations). > The threat vector would be a malicious website that cajoles the user into sharing a tab of interest, then "attempts to click-jack scrolling input" to "induce over-scroll" or hijacks zoom controls to zoom all the way out. Both are means to attempt to capture as much of the document as quickly as possible. The risk/reward trade-off here seems quite favorable; I would NOT classify the threat as "serious". I might even go so far as to label it "mostly theoretical". A hypothetical attacker needs to: 1. Get the user to load the malicious application. 1. Get the user to approve the capture of something. 1. Make sure the user shares something of relevance to the attacker. 1. Get the user to approve a permssion prompt for zooming and scrolling. 1. Get the user to scroll over the capturing app or click an element in the capturing app. 1. (This attack obviated if the content of relevance is already visible.) 1. (This attack obviated if the content of relevance is not reachable through scrolling or zooming.) Theoretically? Yes, there is _some_ new vector of attack here. But in practice? I am not concerned; this is not an appreciable increase in attackers' capacity to do users harm. While we can debate the benefits of additional mitigations, it's not a blocking issue; we have enough mitigations as-is. > None of your links work BTW. That's the result of moving the repo from the SCCG to the WebRTC WG. I have now updated some of the comments on this thread. If you run into remaining ones, please s/`screen-share`/`w3c` and s/`captured-surface-control`/`mediacapture-surface-control`, and they'll work for you. Links to specific comments within threads, however, can only be restored manually; if you run into one that you're unsure of, ask me and I'll do my best to reconstruct what it used to point to. -- GitHub Notification of comment by eladalon1983 Please view or discuss this issue at https://github.com/w3c/mediacapture-surface-control/issues/41#issuecomment-2476223851 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 14 November 2024 12:24:38 UTC