W3C home > Mailing lists > Public > public-webrtc@w3.org > November 2013

Re: Why does screen sharing require a browser extension?

From: Martin Thomson <martin.thomson@gmail.com>
Date: Wed, 27 Nov 2013 09:59:06 -0800
Message-ID: <CABkgnnUu1ZjbZNJkjH7MLTtpiuCvDx_kq_RrSRrVwCXgALHL5A@mail.gmail.com>
To: Roman Shpount <roman@telurix.com>
Cc: Justin Uberti <juberti@google.com>, Lorenzo Miniero <lorenzo@meetecho.com>, cowwoc <cowwoc@bbs.darktech.org>, Silvia Pfeiffer <silviapfeiffer1@gmail.com>, "public-webrtc@w3.org" <public-webrtc@w3.org>
On 27 November 2013 09:39, Roman Shpount <roman@telurix.com> wrote:
> So, all we need is one web site that distributes this extension and allows
> cross site scripting (by using JSONP for instance) and this entire security
> model is out of the window. To be honest, I do not see how installing
> extension is any better then having an option in the browser menu that
> enables screen sharing access.

That site would have to allow other sites to access the data.  We're
talking about making MediaStreamTracks transferrable between contexts
using postMessage, which would absolutely allow this restriction to be
bypassed.

The same way that you could get a permanent grant for gUM on audio and
video and then hand it out willy-nilly to others.

That sort of behaviour is exactly the sort of behaviour that Justin
talks about when he refers to the ability to remotely disable
extensions.  It's why that feature exists.
Received on Wednesday, 27 November 2013 17:59:34 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 15:19:36 UTC