On Fri, Oct 24, 2014 at 9:25 PM, Eric Rescorla <e...@rtfm.com> wrote: > On Fri, Oct 24, 2014 at 3:56 PM, Robert O'Callahan <rob...@ocallahan.org> > wrote: >> On Sat, Oct 25, 2014 at 6:17 AM, Ehsan Akhgari <ehsan.akhg...@gmail.com> >> wrote: >> >> Can we keep track of where the stream comes from, and make sure to taint >> > the images that can come out of them similar to the way that we taint >> > cross >> > origin images by default to prevent them from being read back on the >> > client? I think with that, and a prompting similar to the camera >> > prompting >> > of getUserMedia, we may address a good chunk of these issues. (But >> > admittedly I haven't thought very carefully about this yet.) >> > >> >> This is hard because normally you want to transmit these screenshots or >> sequence of screenshots somewhere. If an app is transmitting them, it can >> probably capture them at the other end. >> >> I guess a permissions approach with an always-on reminder that your screen >> is being captured can probably work. > > > Unfortunately, for the reasons I mentioned in the post I linked to above, > it's hard for the user to give informed consent here, as they don't > understand > SOP, CSRF, etc.
It's unclear to me what you are suggesting that we should or should not do. Also, often times there's much more sensitive information captured from a user's camera, than from a user's screen. Doesn't SOP and CSRF concerns apply there too? / Jonas _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
