Re: What is missing for building "real" services? from Eric Rescorla on 2014-01-11 (public-webrtc@w3.org from January 2014)

From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 10 Jan 2014 16:47:46 -0800
To: Silvia Pfeiffer <silviapfeiffer1@gmail.com>
Cc: Jan-Ivar Bruaroey <jib@mozilla.com>, public-webrtc <public-webrtc@w3.org>, Alexandre Gouaillard <agouaillard@gmail.com>, Randell Jesup <randell-ietf@jesup.org>
Message-ID: <CABcZeBMfqZugNwz0h-iGETE3fAvtsMfT7V4VSVxsCT3uioRusQ@mail.gmail.com>

On Fri, Jan 10, 2014 at 4:22 PM, Silvia Pfeiffer
<silviapfeiffer1@gmail.com> wrote:
>
> On 11 Jan 2014 06:55, "Jan-Ivar Bruaroey" <jib@mozilla.com> wrote:
>>
>> On 1/9/14 8:22 PM, Alexandre GOUAILLARD wrote:
>>>
>>> 3. See this entire e-mail as an expression of my frustration:
>>> - yes, everybody agrees it s important
>>> - yes, chrome as *an* implementation
>>> - yes, we all agree it's sensitive, and there are a lot of identified
>>> scenarii where things would go wrong.
>>> but can we for the love of all the good things out there, not stay stuck
>>> at the above three lines and come up with something, anything, that enable
>>> it without a plugin or an extension (but with care and with some fences
>>> around it to prevent).[...]
>>>
>>>
>>> I certainly don't know enough about the subject even though I read all
>>> the cited draft, specs and related discussion online, and I don;t have the
>>> experience that some (most) of you guys here have. But It does not mean I
>>> don't have a point. I also do not pretend to know enough, and I would have
>>> no problem joining any kind of informal task force including chrome and
>>> mozilla people, at anytime of the day or night (I'm 15 hours away from
>>> pacific time) and try super hard to understand all aspects, if such a task
>>> force was set up with the will to find a way to make it happen. I can even
>>> code parts and/or dedicate staff to this. I just would like to see something
>>> coming else than making a plugin.
>>
>>
>> This is the task force. The place to solve this is here.
>>
>> It's not that hard to understand:
>>
>> A webpage today is allowed to manipulate content it cannot see. It can
>> make your bank-account page dance across your screen, but it cannot see it.
>> Screengrabbing is like giving it a mirror. With that mirror, it can target
>> and grab all your online information in a flickeringly short second. Explain
>> that to people.
>
> What happened to the idea of blacking out all tabs that don't have an
> explicit permission set, e.g. something like a meets tag of
> "screensharing=allow"? I thought that would mediate this issue.

If by mediate you mean "cause web pages to look really bad when shared",
then yes, it would...

-Ekr

Received on Saturday, 11 January 2014 00:48:54 UTC