W3C home > Mailing lists > Public > public-webrtc@w3.org > January 2014

Re: What is missing for building "real" services?

From: cowwoc <cowwoc@bbs.darktech.org>
Date: Thu, 09 Jan 2014 20:03:06 -0500
Message-ID: <52CF46CA.3040906@bbs.darktech.org>
To: public-webrtc@w3.org
On 09/01/2014 6:28 PM, Randell Jesup wrote:
> On 1/9/2014 12:39 AM, cowwoc wrote:
>> Okay, so here is my second attempt at this:
>>
>> We should be able to share any part of the display that the 
>> application does not control. Meaning, the webapp might allow users 
>> to share the contents of Excel so long as it has no control over what 
>> gets displayed by Excel. Similarly, it should be allowed to share any 
>> browser tab so long as it plays within its own host/origin.
>>
>> Assuming that co-browsing is a non-goal for now, is the above 
>> (read-only screen sharing) safe from a security point of view?
>
> There are security issues even for read-only sharing.
>
> If the application can control an iframe in the shared tab/window, it 
> could flick up images of private data it normally couldn't access 
> (even via writing to a canvas) due to cross-origin restrictions. Data 
> such as bank accounts, private user pages, etc.

As I mentioned in a follow-up post, we would not allow cross-origin 
requests. Any application that enables screen sharing would not be 
allowed to issue any requests outside of its origin.

Gili
Received on Friday, 10 January 2014 01:03:38 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 15:19:37 UTC