Implement the display-capture feature policy from the Screen Capture spec. https://w3c.github.io/permissions/#dom-permissionname-display-capture This policy allows restricting access to the getDisplayMedia() API in embedded resources.
Firefox and Safari already implement this. (MDN claims otherwise, but it is out of date. The demo in https://plastic-brief-carnation.glitch.me/ demonstrates as much.)
The spec for getDisplayMedia lists display-capture as the mandated gating. Performance unaffected.
Some websites could conceivably lose access to display capture if they call getDisplayMedia from a context which is not currently allowlisted by display-capture. This is unavoidable, as the spec (rightfully) mandates that such calls to getDisplayMedia be rejected. We have considered introducing display-capture carefully by only emitting a deprecation warning when getDisplayMedia is called from an non-permitted context for two milestones. There are some inherent problems: 1. Sites will remain unprotected for longer. (display-capture serves a vital purpose, after all.) 2. This would mislead sites that use feature discovery to decide whether it's safe to embed an iframe. Such sites would incorrectly believe they can strip away getDisplayMedia access from iframed documents. Mitigating the risks of shipping this immediately is that Firefox and Safari already implement display-capture. This makes it unlikely that sites of appreciable size and polish fail to apply display-capture.
This is a pure security gain. It plugs an existing security hole.
This is one feature policy, and piggybacks on the general debuggability of feature policies.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAMO6jDPGfXfE5z6hJcWO112zX3We-oNTb%2BZjiJk%2B6RNb9%2Bv05w%40mail.gmail.com.
* This does indeed change default behavior. Cross-origin iframes will not, by default, be allowed to call getDisplayMedia, unless explicitly allowlisted by the embedder. That is because the default value of the policy is 'self'.* Gladly, I will file a new BCD issue. My understanding is that I should do this once I get the CLs landed or at least LGTMed. If you meant right now, though, let me know, I can do that, too.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/d744a237-738a-4883-a21a-36be4b87a9d6n%40chromium.org.
s/intentionally/initiallyOn Thursday, July 22, 2021 at 9:44:10 PM UTC+2 Elad Alon wrote:I intentionally intended to introduce those (see the Alternatives Considered section of the design doc), and even got UKM approved and the CLs lined up (UKM-CL, UMA-CL). But after thinking about it for a bit longer, I realized that I had no way of distinguishing legitimate breaks - those display-capture was intended to stop - from illegitimate breaks - those where the website just needs to be rewritten. It also occurred to me that with a security issue, it's good to move fast and plug the hole soon, not wait a few milestones until the new UMA+UKM is in the field and data starts coming in. I therefore think it's best to ship without waiting for the UKM+UMA. I do, however, intend to land those CLs for after-the-fact tracking. Wdyt?
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/aa43f56d-9218-49ae-9d71-c09be39fef09n%40chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/187df2bc-8616-4459-baee-014b7a0a0b1bn%40chromium.org.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
I see that the use counter has a couple of sample urls included. Now you already have 3xLGTM but they might still come in handy when checking the effects of the change (hopefully none).
/Daniel
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/b3f759d6-e531-4b7d-b488-b94bb3463150n%40chromium.org.
* Gladly, I will file a new BCD issue. My understanding is that I should do this once I get the CLs landed or at least LGTMed. If you meant right now, though, let me know, I can do that, too.
--