- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Wed, 27 Nov 2013 09:59:06 -0800
- To: Roman Shpount <roman@telurix.com>
- Cc: Justin Uberti <juberti@google.com>, Lorenzo Miniero <lorenzo@meetecho.com>, cowwoc <cowwoc@bbs.darktech.org>, Silvia Pfeiffer <silviapfeiffer1@gmail.com>, "public-webrtc@w3.org" <public-webrtc@w3.org>
On 27 November 2013 09:39, Roman Shpount <roman@telurix.com> wrote: > So, all we need is one web site that distributes this extension and allows > cross site scripting (by using JSONP for instance) and this entire security > model is out of the window. To be honest, I do not see how installing > extension is any better then having an option in the browser menu that > enables screen sharing access. That site would have to allow other sites to access the data. We're talking about making MediaStreamTracks transferrable between contexts using postMessage, which would absolutely allow this restriction to be bypassed. The same way that you could get a permanent grant for gUM on audio and video and then hand it out willy-nilly to others. That sort of behaviour is exactly the sort of behaviour that Justin talks about when he refers to the ability to remotely disable extensions. It's why that feature exists.
Received on Wednesday, 27 November 2013 17:59:34 UTC