Re: Cross origin screensharing from Harald Alvestrand on 2014-01-22 (public-webrtc@w3.org from January 2014)

From: Harald Alvestrand <harald@alvestrand.no>
Date: Wed, 22 Jan 2014 10:53:36 +0100
To: public-webrtc@w3.org
Message-ID: <52DF9520.4040707@alvestrand.no>

On 01/21/2014 08:48 PM, Roman Shpount wrote:
> If you need to pick a window for sharing from the chooser, what 
> additional security would the extension provide?
>
> As I have mentioned before, based on the attack vectors related to 
> extensions, I expect extension installation to be disabled in 
> enterprise environment. This will render screen sharing in its current 
> form unusable.

In my Chrome, I have 8 of my 20-odd extensions "installed by enterprise 
policy".
I do expect this to be fairly frequent.

https://support.google.com/chrome/a/answer/188453?hl=en&ref_topic=2936229

I don't see it as unreasonable to have a corporation decide whether 
screencasting is allowed or not.

>
> _____________
> Roman Shpount
>
>
> On Tue, Jan 21, 2014 at 2:32 PM, Justin Uberti <juberti@google.com 
> <mailto:juberti@google.com>> wrote:
>
>     Indeed, hence "defense in depth" (i.e. you still need to pick a
>     window for sharing from the chooser)
>
>
>     On Sun, Jan 19, 2014 at 9:42 PM, cowwoc <cowwoc@bbs.darktech.org
>     <mailto:cowwoc@bbs.darktech.org>> wrote:
>
>         On 14/01/2014 12:31 PM, Martin Thomson wrote:
>
>             On 14 January 2014 05:23, Dominique Hazael-Massieux
>             <dom@w3.org <mailto:dom@w3.org>> wrote:
>
>                 How about tying this to CORS? If you already grant
>                 cross-origin access
>                 to your Web content via CORS, can it be inferred
>                 you're happy to share
>                 its content via screen sharing?
>
>             That doesn't really work in that the iframe (or other
>             cross origin
>             content) is acquired without the CORS preflight.  I was
>             thinking
>             Frame-Options actually.
>
>
>         Amusing read about browser extensions:
>         http://www.reddit.com/r/IAmA/comments/1vjj51/i_am_one_of_the_developers_of_a_popular_chrome/
>
>         By the time you notice that an extension has become malicious,
>         over 700k users could have had their banking records stolen.
>         Point is: hiding security-sensitive features behind extensions
>         does not (on its own) ensure security.
>
>         Gili
>
>
>

Received on Wednesday, 22 January 2014 09:54:06 UTC