W3C home > Mailing lists > Public > public-webrtc@w3.org > January 2014

Re: Cross origin screensharing

From: Roman Shpount <roman@telurix.com>
Date: Tue, 21 Jan 2014 14:48:23 -0500
Message-ID: <CAD5OKxtAzQ4=J97qZmb_4pR2Enq6qfW6qgkszEZc_DHB19z2Tw@mail.gmail.com>
To: Justin Uberti <juberti@google.com>
Cc: cowwoc <cowwoc@bbs.darktech.org>, "public-webrtc@w3.org" <public-webrtc@w3.org>
If you need to pick a window for sharing from the chooser, what additional
security would the extension provide?

As I have mentioned before, based on the attack vectors related to
extensions, I expect extension installation to be disabled in enterprise
environment. This will render screen sharing in its current form unusable.

Roman Shpount

On Tue, Jan 21, 2014 at 2:32 PM, Justin Uberti <juberti@google.com> wrote:

> Indeed, hence "defense in depth" (i.e. you still need to pick a window for
> sharing from the chooser)
> On Sun, Jan 19, 2014 at 9:42 PM, cowwoc <cowwoc@bbs.darktech.org> wrote:
>> On 14/01/2014 12:31 PM, Martin Thomson wrote:
>>> On 14 January 2014 05:23, Dominique Hazael-Massieux <dom@w3.org> wrote:
>>>> How about tying this to CORS? If you already grant cross-origin access
>>>> to your Web content via CORS, can it be inferred you're happy to share
>>>> its content via screen sharing?
>>> That doesn't really work in that the iframe (or other cross origin
>>> content) is acquired without the CORS preflight.  I was thinking
>>> Frame-Options actually.
>> Amusing read about browser extensions: http://www.reddit.com/r/IAmA/
>> comments/1vjj51/i_am_one_of_the_developers_of_a_popular_chrome/
>> By the time you notice that an extension has become malicious, over 700k
>> users could have had their banking records stolen. Point is: hiding
>> security-sensitive features behind extensions does not (on its own) ensure
>> security.
>> Gili
Received on Tuesday, 21 January 2014 19:48:53 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:17:54 UTC