Re: What is missing for building "real" services?

On 1/9/2014 12:39 AM, cowwoc wrote:
> Okay, so here is my second attempt at this:
>
> We should be able to share any part of the display that the 
> application does not control. Meaning, the webapp might allow users to 
> share the contents of Excel so long as it has no control over what 
> gets displayed by Excel. Similarly, it should be allowed to share any 
> browser tab so long as it plays within its own host/origin.
>
> Assuming that co-browsing is a non-goal for now, is the above 
> (read-only screen sharing) safe from a security point of view?

There are security issues even for read-only sharing.

If the application can control an iframe in the shared tab/window, it 
could flick up images of private data it normally couldn't access (even 
via writing to a canvas) due to cross-origin restrictions. Data such as 
bank accounts, private user pages, etc.

If it also has access to the camera, it could even wait until you (and 
the other person) weren't looking.

Effectively, the level of risk involved is somewhere between granting 
camera access (which risks privacy, but not online/monetary data) and a 
full native desktop install (often used for screen sharing) or a plugin 
(both of which in theory can have access to the entire PC).  A security 
level roughly equivalent to a desktop install (or plugin install) is 
relatively safe, though users may not be as knowledgeable of the risks 
of plugin installs as they are of desktop installs.  It is unusual and 
thus will tend to trigger some level of concern.

Manually whitelisting sites/apps you trust to ask for screensharing is 
possible also; the downside might be that users would not understand the 
risks; the upside would be that you could tailor warnings (which we all 
know users read religiously and understand totally!)

-- 
Randell Jesup -- rjesup a t mozilla d o t com

Received on Thursday, 9 January 2014 23:30:14 UTC