Re: [mediacapture-screen-share-extensions] Consider dropping permission for captured surface control APIs (#14)

Stepping back slightly - I feel like the risk here is that we are encouraging the user to view the captured surface through the machinery of the video call app (say) but interact with it semi-directly. There is no certainty that the VC will faithfully render the capture to the local user. What an attacking remote user sees is not necessarily what the local user sees (until they uncover the captured surface). It might have scrolled down through your emails but still be showing you and the rest of the conference the 3rd page of the first email whilst rendering the whole thing to the attacker.

So yes, I think we need informed user consent (unless you tell me how deceptive zoom/scroll is prevented otherwise).

-- 
GitHub Notification of comment by steely-glint
Please view or discuss this issue at https://github.com/w3c/mediacapture-screen-share-extensions/issues/14#issuecomment-2426657705 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 21 October 2024 13:17:11 UTC