- From: Jan-Ivar Bruaroey via GitHub <sysbot+gh@w3.org>
- Date: Wed, 13 Nov 2024 08:34:31 +0000
- To: public-webrtc@w3.org
jan-ivar has just created a new issue for https://github.com/w3c/mediacapture-surface-control: == [Capture control] Address click-jacking concerns == In https://github.com/w3c/mediacapture-screen-share-extensions/issues/14#issuecomment-2435351548 ~we seem to agree~/lists serious click-jacking concerns [that] remain with this API. > Undesirable behaviors: > - Attempts to click-jack scrolling input from the user, through techniques such as > - div covering entire page > - transparent element > - element following the mouse > - element larger than visible preview video > - element not visible to the user > - Attempts to induce over-scroll > - no preview video > - delayed preview video > - inauthentic preview video Also https://github.com/w3c/mediacapture-screen-share-extensions/issues/14#issuecomment-2437850738: > - Pop a video element where the user was already scrolling. > - Have the video already there, but obscured by another element, then remove the obscuring element. [IMHO] Permission prompts have shown to be useless in explaining click-jacking threats to users. If users can't understand the risk then we have not obtained [meaningful consent](https://w3ctag.github.io/design-principles/#consent). As such, permission does not seem sufficient as a remedy to these attacks. The spec needs to address this: - by documenting risks and approaches under security considerations - provide design recommendations to implementers to disable forwarding when click-jacking is suspected - choose API designs that help user agents mitigate these risks, such as - limit scope of functionality to live, user-visible and stable video playback (e.g. of a preview area) Please view or discuss this issue at https://github.com/w3c/mediacapture-surface-control/issues/41 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 13 November 2024 08:34:33 UTC