W3C home > Mailing lists > Public > public-webrtc@w3.org > November 2013

Re: Why does screen sharing require a browser extension?

From: cowwoc <cowwoc@bbs.darktech.org>
Date: Tue, 26 Nov 2013 18:30:27 -0500
Message-ID: <52952F13.2090709@bbs.darktech.org>
To: Martin Thomson <martin.thomson@gmail.com>
CC: Justin Uberti <juberti@google.com>, "public-webrtc@w3.org" <public-webrtc@w3.org>
On 26/11/2013 4:22 PM, Martin Thomson wrote:
> On 26 November 2013 12:36, cowwoc <cowwoc@bbs.darktech.org> wrote:
>> Okay, good. So the next question is: what is different between the
>> install-time consent box and the one that pops up for each sharing request?
> I'm an advocate for zero popups.  Having the site trigger a consent
> dialog reduces the value of the consent thus obtained.  Even though it
> might not be modal and require user interaction, it still effectively
> inserts itself into the path for a user's goal-seeking behaviour.
> It's attention-grabbing, so users will learn to click there.
>
> A more effective approach, one that is shared by a number of
> applications that offer screen sharing, is to force the user to
> actively seek screen sharing options.  If the browser offered a menu
> item somewhere that said "Share Screen/Application..." and the user
> sought that menu item and selected it, then I might have a better
> sense that this is their intent.  Even better if that then produced a
> selection dialog whereby the user could select between "everything
> that I see" and "just a specific application" (and maybe "just a
> specific browser tab"), as long as there was a prominent "oops,
> nevermind, cancel" button there.  Doing this could maybe fire Justin's
> proposed "sourceschanged" event, upon which the application could
> request the screen share source.
>
> Justin's proposed "app install" approach here forces the same sort of
> interaction model.  The first time.  That's why I'm less enthusiastic
> about having that as a requirement.  But you know what?  That's OK.
> We don't actually need to standardize this part.  Browsers will do
> what they think best when it comes to UX and I'm glad that Justin is
> taking this seriously.  At least he isn't leaving sharp pointy objects
> lying around.

Okay, so you're saying that websites (such as bank.com) should be able 
to specify whether they are willing to show up in screen-capture 
sessions? That would work, but I don't like the fact that 
legitimate-capture.com has to wait for bank.com to give it access to 
screen capture. Banks are not going to grant access to anyone but 
themselves and I question whether this is really something banks should 
decide on behalf of the user.

What about the other idea I brought up above? How about popping up a 
consent box any time a cross-site request is made? For example: 
"screen-capture.com would like to record you accessing bank.com. Do you 
want to allow screen-capture.com to access your bank.com account 
information?" Users would get asked once, and the browser would remember 
their decision. I'm flexible with the look of the consent box. I believe 
you proposed having the user navigate to a menu item and explicitly 
choose which part of the site they wish to share. I'm fine with that. I 
just want to see if there is consensus for requesting permission for 
cross-site access.

Basically I'm saying that cross-site access requires CORS, but 
cross-site access + capture requires CORS + user consent.

Gili
Received on Tuesday, 26 November 2013 23:31:28 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 15:19:36 UTC