W3C home > Mailing lists > Public > public-webrtc@w3.org > November 2013

Re: Why does screen sharing require a browser extension?

From: cowwoc <cowwoc@bbs.darktech.org>
Date: Tue, 26 Nov 2013 04:07:08 -0500
Message-ID: <529464BC.3030605@bbs.darktech.org>
To: public-webrtc@w3.org
On 26/11/2013 3:42 AM, Harald Alvestrand wrote:
> On 11/26/2013 09:09 AM, cowwoc wrote:
>> Hi Justin,
>>
>> On 25/11/2013 6:58 PM, Justin Uberti wrote:
>>> Others have already made the points I was going to, but I'll summarize:
>>> - Screensharing is more dangerous than webcam access, because the 
>>> attacker can record the screen, AND control what is displayed on it.
>>
>> Agreed but only if you interpret screen-sharing as co-browsing. It is 
>> possible to limit screen-sharing to read-only screen recording, 
>> without the ability to control what is being displayed on it, in 
>> which case none of these security concerns exist.
>
> Gili, it's a JAVASCRIPT APPLICATION.
>
> What Javascript applications do in general is to control what the 
> browser shows on the screen.
>
> Unless you want to limit screencasting to 'casting everything EXCEPT 
> for the browser (a very marginal use case, and totally inconsistent 
> with everything people are currently deploying screencasting for), the 
> Javascript will be able to control whatever Javascript is usually able 
> to control.
>
> Please think this through.
>
Harald,

You seem to be misunderstanding what I had in mind. I'm talking about 
the following:

Alice opens bank.com in tab 1, screenshare.com in tab 2. She instructs 
the WebRTC application in tab 2 to screen-share tab 1. It is my 
understanding that Javascript cannot do cross-tab scripting, and as such 
we'd be safe. The cross-tab operation is being implemented by the 
browser, not Javascript.

Gili
Received on Tuesday, 26 November 2013 09:08:12 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 15:19:36 UTC