- From: Roman Shpount <roman@telurix.com>
- Date: Tue, 21 Jan 2014 14:48:23 -0500
- To: Justin Uberti <juberti@google.com>
- Cc: cowwoc <cowwoc@bbs.darktech.org>, "public-webrtc@w3.org" <public-webrtc@w3.org>
- Message-ID: <CAD5OKxtAzQ4=J97qZmb_4pR2Enq6qfW6qgkszEZc_DHB19z2Tw@mail.gmail.com>
If you need to pick a window for sharing from the chooser, what additional security would the extension provide? As I have mentioned before, based on the attack vectors related to extensions, I expect extension installation to be disabled in enterprise environment. This will render screen sharing in its current form unusable. _____________ Roman Shpount On Tue, Jan 21, 2014 at 2:32 PM, Justin Uberti <juberti@google.com> wrote: > Indeed, hence "defense in depth" (i.e. you still need to pick a window for > sharing from the chooser) > > > On Sun, Jan 19, 2014 at 9:42 PM, cowwoc <cowwoc@bbs.darktech.org> wrote: > >> On 14/01/2014 12:31 PM, Martin Thomson wrote: >> >>> On 14 January 2014 05:23, Dominique Hazael-Massieux <dom@w3.org> wrote: >>> >>>> How about tying this to CORS? If you already grant cross-origin access >>>> to your Web content via CORS, can it be inferred you're happy to share >>>> its content via screen sharing? >>>> >>> That doesn't really work in that the iframe (or other cross origin >>> content) is acquired without the CORS preflight. I was thinking >>> Frame-Options actually. >>> >>> >> Amusing read about browser extensions: http://www.reddit.com/r/IAmA/ >> comments/1vjj51/i_am_one_of_the_developers_of_a_popular_chrome/ >> >> By the time you notice that an extension has become malicious, over 700k >> users could have had their banking records stolen. Point is: hiding >> security-sensitive features behind extensions does not (on its own) ensure >> security. >> >> Gili >> >> >
Received on Tuesday, 21 January 2014 19:48:53 UTC