W3C home > Mailing lists > Public > public-webrtc@w3.org > November 2013

Re: Why does screen sharing require a browser extension?

From: Justin Uberti <juberti@google.com>
Date: Wed, 27 Nov 2013 00:34:46 -0800
Message-ID: <CAOJ7v-0L1NEf3m9YQOW+pz7LL9Oksu9P=a+va9zGwNcb8+rwrA@mail.gmail.com>
To: cowwoc <cowwoc@bbs.darktech.org>
Cc: Silvia Pfeiffer <silviapfeiffer1@gmail.com>, Martin Thomson <martin.thomson@gmail.com>, "public-webrtc@w3.org" <public-webrtc@w3.org>
I disagree completely.

Allowing the installation of apps that have unlimited access to the system
did cause the computing world to end, in a sense. We tried that, and the
result was systems plagued with spyware, and the creation of the whole
anti-virus industry. Thankfully, this philosophy has now been discredited,
and replaced with approaches that through various mechanisms (ACLs,
sandboxing, curation, etc) aim to protect their users as a top priority.
That is what Chrome (amongst others) is doing, and will continue to do.

I understand that having access to screen sharing is a highly desired
feature. But there are real issues here, and no amount of scary text in the
dialog box is going to make this safe for arbitrary pages on the drive-by
web.

So we have made our decision for the initial rollout of this functionality.
In M33, the rules are as I describe - accessible only via extensions or
apps, and for window/desktop sharing, a user prompt for all sharing
requests. We'll ship this code, people will use it, we'll get feedback -
and we'll go from there.


On Tue, Nov 26, 2013 at 8:16 PM, cowwoc <cowwoc@bbs.darktech.org> wrote:

> On 26/11/2013 10:43 PM, Silvia Pfeiffer wrote:
>
>> If the screenshare chooser provides some information such as "Warning:
>> only click ok if you agree to give the website access to your desktop"
>>   I think it can be made to work.
>>
>> WebRTC without native screen sharing is not living up to its
>> potential, so I'd like to find a way to make this work asap.
>>
>> Cheers,
>> Silvia.
>>
>
> Commenting specifically on the use of a browser extensions: We've been
> installing applications that had unlimited access to all our computers for
> years, and the world didn't end. Do we honestly expect browser vendors to
> detect and ban malicious apps faster than anti-virus companies? If
> misbehaving iframes are so difficult to detect, how do browser vendors plan
> to detect malicious apps?
>
> Browser vendors are spread thin, with more bugs filed than fixed with
> every passing day. Anti-virus companies have dedicated teams that do
> nothing other than detect and ban malicious apps. If I had to guess, I'd
> say that anti-virus companies will do a better job. They roll out updates
> multiple times a day while browsers roll out updates multiple times a
> month. There is just no comparison. Most of them already have the ability
> to scan for and ban specific webapps.
>
> I further agree with Steve that the feature needs to be portable across
> browsers, and pushing it into browser extensions prevents this from
> happening.
>
> Gili
>
Received on Wednesday, 27 November 2013 08:35:33 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 15:19:36 UTC