- From: Lorenzo Miniero <lorenzo@meetecho.com>
- Date: Wed, 27 Nov 2013 10:46:19 +0100
- To: Justin Uberti <juberti@google.com>
- Cc: cowwoc <cowwoc@bbs.darktech.org>, Silvia Pfeiffer <silviapfeiffer1@gmail.com>, Martin Thomson <martin.thomson@gmail.com>, "public-webrtc@w3.org" <public-webrtc@w3.org>
Il giorno Wed, 27 Nov 2013 00:34:46 -0800 Justin Uberti <juberti@google.com> ha scritto: > I disagree completely. > > Allowing the installation of apps that have unlimited access to the > system did cause the computing world to end, in a sense. We tried > that, and the result was systems plagued with spyware, and the > creation of the whole anti-virus industry. Thankfully, this > philosophy has now been discredited, and replaced with approaches > that through various mechanisms (ACLs, sandboxing, curation, etc) aim > to protect their users as a top priority. That is what Chrome > (amongst others) is doing, and will continue to do. > > I understand that having access to screen sharing is a highly desired > feature. But there are real issues here, and no amount of scary text > in the dialog box is going to make this safe for arbitrary pages on > the drive-by web. > > So we have made our decision for the initial rollout of this > functionality. In M33, the rules are as I describe - accessible only > via extensions or apps, and for window/desktop sharing, a user prompt > for all sharing requests. We'll ship this code, people will use it, > we'll get feedback - and we'll go from there. > I still don't have a clear opinion on this, as I'm trying to make my mind about this, and so I really don't have alternatives ready, but I have a question (well maybe two). Would this app/extension be associated with a specific domain? that is, would YourCompany publish such an app to allow window/desktop sharing when the page/javascript comes from yourcompany.com, or would it be in general a service provided to JavaScript developers that may make use of it? I guess it's the former, but in that case, can I use window/desktop sharing in localhost or on a LAN, e.g., for testing purposes? The proposed model seems to suggest I wouldn't be able to do so. Thanks, Lorenzo > > On Tue, Nov 26, 2013 at 8:16 PM, cowwoc <cowwoc@bbs.darktech.org> > wrote: > > > On 26/11/2013 10:43 PM, Silvia Pfeiffer wrote: > > > >> If the screenshare chooser provides some information such as > >> "Warning: only click ok if you agree to give the website access to > >> your desktop" I think it can be made to work. > >> > >> WebRTC without native screen sharing is not living up to its > >> potential, so I'd like to find a way to make this work asap. > >> > >> Cheers, > >> Silvia. > >> > > > > Commenting specifically on the use of a browser extensions: We've > > been installing applications that had unlimited access to all our > > computers for years, and the world didn't end. Do we honestly > > expect browser vendors to detect and ban malicious apps faster than > > anti-virus companies? If misbehaving iframes are so difficult to > > detect, how do browser vendors plan to detect malicious apps? > > > > Browser vendors are spread thin, with more bugs filed than fixed > > with every passing day. Anti-virus companies have dedicated teams > > that do nothing other than detect and ban malicious apps. If I had > > to guess, I'd say that anti-virus companies will do a better job. > > They roll out updates multiple times a day while browsers roll out > > updates multiple times a month. There is just no comparison. Most > > of them already have the ability to scan for and ban specific > > webapps. > > > > I further agree with Steve that the feature needs to be portable > > across browsers, and pushing it into browser extensions prevents > > this from happening. > > > > Gili > >
Received on Wednesday, 27 November 2013 09:46:48 UTC