- From: Jan-Ivar Bruaroey via GitHub <sysbot+gh@w3.org>
- Date: Tue, 29 Oct 2024 15:45:59 +0000
- To: public-webrtc@w3.org
jan-ivar has just created a new issue for https://github.com/w3c/mediacapture-screen-share-extensions: == Address click-jacking concerns == In https://github.com/w3c/mediacapture-screen-share-extensions/issues/14#issuecomment-2435351548 we seem to agree serious click-jacking concerns remain with this API. > Undesirable behaviors: > - Attempts to click-jack scrolling input from the user, through techniques such as > - div covering entire page > - transparent element > - element following the mouse > - element larger than visible preview video > - element not visible to the user > - Attempts to induce over-scroll > - no preview video > - delayed preview video > - inauthentic preview video Also https://github.com/w3c/mediacapture-screen-share-extensions/issues/14#issuecomment-2437850738: > - Pop a video element where the user was already scrolling. > - Have the video already there, but obscured by another element, then remove the obscuring element. Permission prompts have shown to be useless in explaining click-jacking threats to users. If users can't understand the risk then we have not obtained [meaningful consent](https://w3ctag.github.io/design-principles/#consent). As such, permission does not seem sufficient as a remedy to these attacks. The spec needs to address this: - by documenting risks and approaches under security considerations - provide design recommendations to implementers to disable forwarding when click-jacking is suspected - choose API designs that help user agents mitigate these risks, such as - limit scope of functionality to live, user-visible and stable video playback (e.g. of a preview area) Please view or discuss this issue at https://github.com/w3c/mediacapture-screen-share-extensions/issues/24 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 29 October 2024 15:46:01 UTC