On Fri, Oct 24, 2014 at 10:56 PM, Jonas Sicking <jo...@sicking.cc> wrote:
> On Fri, Oct 24, 2014 at 9:25 PM, Eric Rescorla <e...@rtfm.com> wrote: > > On Fri, Oct 24, 2014 at 3:56 PM, Robert O'Callahan <rob...@ocallahan.org > > > > wrote: > >> On Sat, Oct 25, 2014 at 6:17 AM, Ehsan Akhgari <ehsan.akhg...@gmail.com > > > >> wrote: > >> > >> Can we keep track of where the stream comes from, and make sure to taint > >> > the images that can come out of them similar to the way that we taint > >> > cross > >> > origin images by default to prevent them from being read back on the > >> > client? I think with that, and a prompting similar to the camera > >> > prompting > >> > of getUserMedia, we may address a good chunk of these issues. (But > >> > admittedly I haven't thought very carefully about this yet.) > >> > > >> > >> This is hard because normally you want to transmit these screenshots or > >> sequence of screenshots somewhere. If an app is transmitting them, it > can > >> probably capture them at the other end. > >> > >> I guess a permissions approach with an always-on reminder that your > screen > >> is being captured can probably work. > > > > > > Unfortunately, for the reasons I mentioned in the post I linked to above, > > it's hard for the user to give informed consent here, as they don't > > understand > > SOP, CSRF, etc. > > It's unclear to me what you are suggesting that we should or should not do. > Well, as I said above, FF 33 is already shipping what MT and I were able to come up with on short notice, namely: - A whitelist of the sites that are "legitimate" conferencing sites - A user consent dialog which only even appears if a site is on the whitelist. There's been a bunch of discussion about technical measures that would allow us to remove the whitelist (e.g., don't let people share the browser), but we're still trying to figure out the best thing. I suppose only allowing a snapshot or blurring it might also fall into this category. I'd certainly be very interested in having a discussion about other such mechanisms, since we're (obviously) not that happy about the ones we already have thought of. Also, often times there's much more sensitive information captured > from a user's camera, than from a user's screen. Doesn't SOP and CSRF > concerns apply there too? The issue isn't sensitivity, but rather informed consent. If I turn my camera and microphone on, it's relatively clear what data it captures. By contrast if I share my screen, it's; not at all obvious that the attacker can use this to read the list of my gmail messages (for instance). -Ekr _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
