Re: Why does screen sharing require a browser extension?

So, all we need is one web site that distributes this extension and allows
cross site scripting (by using JSONP for instance) and this entire security
model is out of the window. To be honest, I do not see how installing
extension is any better then having an option in the browser menu that
enables screen sharing access.

_____________
Roman Shpount


On Wed, Nov 27, 2013 at 12:10 PM, Justin Uberti <juberti@google.com> wrote:

>
>
>
> On Wed, Nov 27, 2013 at 1:46 AM, Lorenzo Miniero <lorenzo@meetecho.com>wrote:
>
>> Il giorno Wed, 27 Nov 2013 00:34:46 -0800
>> Justin Uberti <juberti@google.com> ha scritto:
>>
>> > I disagree completely.
>> >
>> > Allowing the installation of apps that have unlimited access to the
>> > system did cause the computing world to end, in a sense. We tried
>> > that, and the result was systems plagued with spyware, and the
>> > creation of the whole anti-virus industry. Thankfully, this
>> > philosophy has now been discredited, and replaced with approaches
>> > that through various mechanisms (ACLs, sandboxing, curation, etc) aim
>> > to protect their users as a top priority. That is what Chrome
>> > (amongst others) is doing, and will continue to do.
>> >
>> > I understand that having access to screen sharing is a highly desired
>> > feature. But there are real issues here, and no amount of scary text
>> > in the dialog box is going to make this safe for arbitrary pages on
>> > the drive-by web.
>> >
>> > So we have made our decision for the initial rollout of this
>> > functionality. In M33, the rules are as I describe - accessible only
>> > via extensions or apps, and for window/desktop sharing, a user prompt
>> > for all sharing requests. We'll ship this code, people will use it,
>> > we'll get feedback - and we'll go from there.
>> >
>>
>>
>> I still don't have a clear opinion on this, as I'm trying to make my
>> mind about this, and so I really don't have alternatives ready, but I
>> have a question (well maybe two). Would this app/extension be
>> associated with a specific domain? that is, would YourCompany publish
>> such an app to allow window/desktop sharing when the page/javascript
>> comes from yourcompany.com, or would it be in general a service
>> provided to JavaScript developers that may make use of it? I guess it's
>> the former, but in that case, can I use window/desktop sharing in
>> localhost or on a LAN, e.g., for testing purposes? The proposed model
>> seems to suggest I wouldn't be able to do so.
>>
>
> The publisher of the extension can control which domains can talk to it.
> See
> http://developer.chrome.com/extensions/manifest/externally_connectable.html.
> This would allow you to make your extension available to yourcompany.com,
> as well as development machines on *.corp.yourcompany.com. (Note that
> *.com and other wide-reaching wildcards are not permitted.)
>
> There is also the Chrome flag parameter to force on the screen-sharing
> feature for testing purposes
> (chrome://flags/#enable-usermedia-screen-capture).
>

Received on Wednesday, 27 November 2013 17:39:57 UTC