Re: [mediacapture-screen-share-extensions] Consider dropping permission for captured surface control APIs (#14)

> ... please consider the possibility of drawing two video elements, one with (1) an unfaithful representation of the capture at full opacity (fully visible), then another (2) faithful representation at minimum opacity (practically invisible). The app places (2) on top and forwards scrolls from it, proving your prompt-replacement mitigations useless.

This is [click-jacking](https://www.w3.org/Security/wiki/Clickjacking_Threats), which UAs already deal with on the daily. UAs should be given a lot of leeway to fight such behavior when detected, and we should build APIs that support them in this (tying forwarding to playback as a start).

So these are click-jacking mitigations. Calling them "prompt-replacement" mitigations wrongly suggests a permission prompt adequately addresses click-jacking (or that mitigation can be skipped because the user was warned), which is false.

Permission prompts have shown to be useless in explaining click-jacking threats to users. If users can't understand the risk then we have not obtained [meaningful consent](https://w3ctag.github.io/design-principles/#consent).

> If you think my example is absurd, consider the value to an attacker of being able to see a couple of slides ahead in an earnings call.

Remote control is mitigated. A company using a malicious VC app for earnings calls seems a bit unrealistic.

I do not wish to diminish the risk. On the contrary, I'm arguing for mitigation and against permission as panacea.

-- 
GitHub Notification of comment by jan-ivar
Please view or discuss this issue at https://github.com/w3c/mediacapture-screen-share-extensions/issues/14#issuecomment-2433135861 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 23 October 2024 18:35:12 UTC