- From: Elad Alon via GitHub <sysbot+gh@w3.org>
- Date: Wed, 16 Dec 2020 09:57:55 +0000
- To: public-webrtc@w3.org
eladalon1983 has just created a new issue for https://github.com/w3c/mediacapture-screen-share: == Capture-current-tab: Managing capture-ability by cross-origin embedder as opt-in vs. opt-out == An API for capturing the current tab, to be named getCurrentBrowsingContextMedia (or getTabMedia, or something similar), is [under discussion](https://github.com/w3c/mediacapture-screen-share/pull/148). Concerns have been expressed over how this could be used to circumvent the origin-isolation model, as well as harvest user data. Both @jan-ivar and I have made suggestions for ways to address the former of these two concerns. The most important difference between these two suggestion, IMHO, is whether the capture-ability of embedded resources by their embedder is opt-in or opt-out. ([Opt-in suggestion](https://github.com/w3c/mediacapture-screen-share/issues/155), [opt-out suggestion](https://docs.google.com/presentation/d/1CeNeno5XuDhm1mpnVyE9eT14YKZgZUtgQsJfC8uqEpA/edit#slide=id.gaef31c926d_1_6).) I suggest that we leave other threads to discuss the particulars of their respective proposals, and use this discussion thread to try and arrive at a decision over whether opt-in or opt-out is more appropriate. In a discussion with a potential user of the proposed API, they have expressed that it would be prohibitively difficult for them to transition their very substantial application, which embeds plenty of cross-origin first- and third-party resources, into an opt-in model, and maintain it over time. The cost (and risks) are simply too great, they tell me. They would simply not use the new API if it's opt-in. It might be that an opt-in model would be superior from a theoretical security perspective. I am concerned that these gains would remain theoretical due to lack of adoption. It seems to me that the real choice is not between opt-in and opt-out. Rather, IMHO, the choice is between opt-out and no-feature, leaving native applications as the only way to support the intended use case . I think it would be good if we could hear from other prospective users of this API. I will do my best to invite some, and I encourage everybody else to do the same. Please view or discuss this issue at https://github.com/w3c/mediacapture-screen-share/issues/156 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 16 December 2020 09:57:57 UTC