jan-ivar has just created a new issue for https://github.com/w3c/mediacapture-screen-share: == Forbid getDisplayMedia in top-level browsing context by default? == Right now, [our feature policy](https://w3c.github.io/mediacapture-screen-share/#feature-policy-integration)'s default allowlist is `"self"`, disallowing calls from iframes only. Since `getDisplayMedia` could be used maliciously to [violate "the Web security model"](https://tools.ietf.org/html/draft-ietf-rtcweb-security-10#section-4.1.1), should it be [`"none"`](https://wicg.github.io/feature-policy/#default-allowlists)? This would protect web sites with no interest in this API from exposure, e.g. from injection attacks. cc @youennf, @martinthomson Please view or discuss this issue at https://github.com/w3c/mediacapture-screen-share/issues/90 using your GitHub accountReceived on Thursday, 15 November 2018 18:28:28 UTC
This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:18:45 UTC