On 09/01/2014 6:28 PM, Randell Jesup wrote: > On 1/9/2014 12:39 AM, cowwoc wrote: >> Okay, so here is my second attempt at this: >> >> We should be able to share any part of the display that the >> application does not control. Meaning, the webapp might allow users >> to share the contents of Excel so long as it has no control over what >> gets displayed by Excel. Similarly, it should be allowed to share any >> browser tab so long as it plays within its own host/origin. >> >> Assuming that co-browsing is a non-goal for now, is the above >> (read-only screen sharing) safe from a security point of view? > > There are security issues even for read-only sharing. > > If the application can control an iframe in the shared tab/window, it > could flick up images of private data it normally couldn't access > (even via writing to a canvas) due to cross-origin restrictions. Data > such as bank accounts, private user pages, etc. As I mentioned in a follow-up post, we would not allow cross-origin requests. Any application that enables screen sharing would not be allowed to issue any requests outside of its origin. GiliReceived on Friday, 10 January 2014 01:03:38 UTC
This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:17:53 UTC