W3C home > Mailing lists > Public > public-webrtc@w3.org > November 2013

Re: Why does screen sharing require a browser extension?

From: Lorenzo Miniero <lorenzo@meetecho.com>
Date: Wed, 27 Nov 2013 10:46:19 +0100
To: Justin Uberti <juberti@google.com>
Cc: cowwoc <cowwoc@bbs.darktech.org>, Silvia Pfeiffer <silviapfeiffer1@gmail.com>, Martin Thomson <martin.thomson@gmail.com>, "public-webrtc@w3.org" <public-webrtc@w3.org>
Message-ID: <20131127104619.30738516@lminiero>
Il giorno Wed, 27 Nov 2013 00:34:46 -0800
Justin Uberti <juberti@google.com> ha scritto:

> I disagree completely.
> Allowing the installation of apps that have unlimited access to the
> system did cause the computing world to end, in a sense. We tried
> that, and the result was systems plagued with spyware, and the
> creation of the whole anti-virus industry. Thankfully, this
> philosophy has now been discredited, and replaced with approaches
> that through various mechanisms (ACLs, sandboxing, curation, etc) aim
> to protect their users as a top priority. That is what Chrome
> (amongst others) is doing, and will continue to do.
> I understand that having access to screen sharing is a highly desired
> feature. But there are real issues here, and no amount of scary text
> in the dialog box is going to make this safe for arbitrary pages on
> the drive-by web.
> So we have made our decision for the initial rollout of this
> functionality. In M33, the rules are as I describe - accessible only
> via extensions or apps, and for window/desktop sharing, a user prompt
> for all sharing requests. We'll ship this code, people will use it,
> we'll get feedback - and we'll go from there.

I still don't have a clear opinion on this, as I'm trying to make my
mind about this, and so I really don't have alternatives ready, but I
have a question (well maybe two). Would this app/extension be
associated with a specific domain? that is, would YourCompany publish
such an app to allow window/desktop sharing when the page/javascript
comes from yourcompany.com, or would it be in general a service
provided to JavaScript developers that may make use of it? I guess it's
the former, but in that case, can I use window/desktop sharing in
localhost or on a LAN, e.g., for testing purposes? The proposed model
seems to suggest I wouldn't be able to do so.


> On Tue, Nov 26, 2013 at 8:16 PM, cowwoc <cowwoc@bbs.darktech.org>
> wrote:
> > On 26/11/2013 10:43 PM, Silvia Pfeiffer wrote:
> >
> >> If the screenshare chooser provides some information such as
> >> "Warning: only click ok if you agree to give the website access to
> >> your desktop" I think it can be made to work.
> >>
> >> WebRTC without native screen sharing is not living up to its
> >> potential, so I'd like to find a way to make this work asap.
> >>
> >> Cheers,
> >> Silvia.
> >>
> >
> > Commenting specifically on the use of a browser extensions: We've
> > been installing applications that had unlimited access to all our
> > computers for years, and the world didn't end. Do we honestly
> > expect browser vendors to detect and ban malicious apps faster than
> > anti-virus companies? If misbehaving iframes are so difficult to
> > detect, how do browser vendors plan to detect malicious apps?
> >
> > Browser vendors are spread thin, with more bugs filed than fixed
> > with every passing day. Anti-virus companies have dedicated teams
> > that do nothing other than detect and ban malicious apps. If I had
> > to guess, I'd say that anti-virus companies will do a better job.
> > They roll out updates multiple times a day while browsers roll out
> > updates multiple times a month. There is just no comparison. Most
> > of them already have the ability to scan for and ban specific
> > webapps.
> >
> > I further agree with Steve that the feature needs to be portable
> > across browsers, and pushing it into browser extensions prevents
> > this from happening.
> >
> > Gili
> >
Received on Wednesday, 27 November 2013 09:46:48 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:17:52 UTC