W3C home > Mailing lists > Public > public-webrtc@w3.org > November 2018

[mediacapture-screen-share] Forbid getDisplayMedia in top-level browsing context by default?

From: Jan-Ivar Bruaroey via GitHub <sysbot+gh@w3.org>
Date: Thu, 15 Nov 2018 18:28:26 +0000
To: public-webrtc@w3.org
Message-ID: <issues.opened-381285870-1542306499-sysbot+gh@w3.org>
jan-ivar has just created a new issue for https://github.com/w3c/mediacapture-screen-share:

== Forbid getDisplayMedia in top-level browsing context by default? ==
Right now, [our feature policy](https://w3c.github.io/mediacapture-screen-share/#feature-policy-integration)'s default allowlist is `"self"`, disallowing calls from iframes only.

Since `getDisplayMedia` could be used maliciously to [violate "the Web security model"](https://tools.ietf.org/html/draft-ietf-rtcweb-security-10#section-4.1.1), should it be [`"none"`](https://wicg.github.io/feature-policy/#default-allowlists)?

This would protect web sites with no interest in this API from exposure, e.g. from injection attacks.

cc @youennf, @martinthomson 

Please view or discuss this issue at https://github.com/w3c/mediacapture-screen-share/issues/90 using your GitHub account
Received on Thursday, 15 November 2018 18:28:28 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:18:45 UTC