W3C home > Mailing lists > Public > public-webrtc@w3.org > November 2013

Re: Why does screen sharing require a browser extension?

From: Justin Uberti <juberti@google.com>
Date: Tue, 26 Nov 2013 08:45:14 -0800
Message-ID: <CAOJ7v-2qNKp2WhOHv4+oZY0QhKdUaVenJSTXH384nw8X=3TguA@mail.gmail.com>
To: cowwoc <cowwoc@bbs.darktech.org>
Cc: "public-webrtc@w3.org" <public-webrtc@w3.org>
No, you aren't safe. screenshare.com could IFRAME in bank.com and then
you're hosed.

Basically, anything that has the ability to screenshare can open ANY WEB
SITE of its choosing in an IFRAME - and because it will use the same
browser context, it will already be authenticated - making it trivial to
capture sensitive information.

On Tue, Nov 26, 2013 at 1:07 AM, cowwoc <cowwoc@bbs.darktech.org> wrote:

>  On 26/11/2013 3:42 AM, Harald Alvestrand wrote:
> On 11/26/2013 09:09 AM, cowwoc wrote:
> Hi Justin,
> On 25/11/2013 6:58 PM, Justin Uberti wrote:
> Others have already made the points I was going to, but I'll summarize:
> - Screensharing is more dangerous than webcam access, because the attacker
> can record the screen, AND control what is displayed on it.
> Agreed but only if you interpret screen-sharing as co-browsing. It is
> possible to limit screen-sharing to read-only screen recording, without the
> ability to control what is being displayed on it, in which case none of
> these security concerns exist.
> What Javascript applications do in general is to control what the browser
> shows on the screen.
> Unless you want to limit screencasting to 'casting everything EXCEPT for
> the browser (a very marginal use case, and totally inconsistent with
> everything people are currently deploying screencasting for), the
> Javascript will be able to control whatever Javascript is usually able to
> control.
> Please think this through.
>  Harald,
> You seem to be misunderstanding what I had in mind. I'm talking about the
> following:
> Alice opens bank.com in tab 1, screenshare.com in tab 2. She instructs
> the WebRTC application in tab 2 to screen-share tab 1. It is my
> understanding that Javascript cannot do cross-tab scripting, and as such
> we'd be safe. The cross-tab operation is being implemented by the browser,
> not Javascript.
> Gili
Received on Tuesday, 26 November 2013 16:46:04 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:17:52 UTC