- From: Elad Alon via GitHub <sysbot+gh@w3.org>
- Date: Thu, 24 Oct 2024 09:18:48 +0000
- To: public-webrtc-logs@w3.org
> Permission prompts have shown to be useless in explaining click-jacking threats to users. The permission policy and prompt are NOT a click-jacking prevention mechanism. This issue started with a claim that a permission prompt is unnecessary, and a suggestion that its benefits could be better provided with other mechanisms; namely, with a limitation of the element types. In response, Tim and I have shown that element-type-limiting is easy to circumvent, which means it cannot be used as a substitute for anything, because it provides nothing. This is the correct context of this exchange. The claims that (1) a permission prompt is undesirable, and that (2) other mechanisms are sufficient substitutes, both remain unsubstantiated. Moreover, the counter-claim that if a permission prompt is truly undesirable, the spec does not prevent UAs from skipping it, has not been addressed. > I'm arguing for mitigation and against permission as panacea. And I am claiming that the mitigation you proposed (limiting element types) confers no security benefits. Further, the permission was not presented as a panacea, so let's please not characterize that claim as such. -- GitHub Notification of comment by eladalon1983 Please view or discuss this issue at https://github.com/w3c/mediacapture-screen-share-extensions/issues/14#issuecomment-2434741283 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 24 October 2024 09:18:49 UTC