- From: Jan-Ivar Bruaroey via GitHub <sysbot+gh@w3.org>
- Date: Thu, 15 Nov 2018 18:28:26 +0000
- To: public-webrtc@w3.org
jan-ivar has just created a new issue for https://github.com/w3c/mediacapture-screen-share: == Forbid getDisplayMedia in top-level browsing context by default? == Right now, [our feature policy](https://w3c.github.io/mediacapture-screen-share/#feature-policy-integration)'s default allowlist is `"self"`, disallowing calls from iframes only. Since `getDisplayMedia` could be used maliciously to [violate "the Web security model"](https://tools.ietf.org/html/draft-ietf-rtcweb-security-10#section-4.1.1), should it be [`"none"`](https://wicg.github.io/feature-policy/#default-allowlists)? This would protect web sites with no interest in this API from exposure, e.g. from injection attacks. cc @youennf, @martinthomson Please view or discuss this issue at https://github.com/w3c/mediacapture-screen-share/issues/90 using your GitHub account
Received on Thursday, 15 November 2018 18:28:28 UTC