Closed Bug 942806 Opened 12 years ago Closed 11 years ago

SecReview: Screen sharing UI

Categories

(mozilla.org :: Security Assurance: Review Request, task)

Product:
mozilla.org
Component:
Security Assurance: Review Request
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: curtisk, Assigned: dveditz)

References

Details

Placeholder for the code review
Summary: SecReview (code review): Screen sharing UI → SecReview: Screen sharing UI
We've had several mtgs on this. Resolved: * Share only on https sites (at least for now). Screen data is sensitive and users need to know with whom they're sharing. * Some ui improvements to make more prominent the fact that sharing is active * Always prompt, never store blanket permission * A whitelist of known good actors allowed to request sharing The latter is primarily due to the intractable problem that if the entire screen is shared, or a browser window/tab that's in collusion with the sharing site, sensitive data can be harvested without the user's knowledge or consent. Obviously the explicitly shared window is available to the sharing site and the prompt is a mechanism by which the user gives consent to that. But it will not be obvious to users that the sharing site may be able to cause additional information to appear in the shared window that would reveal information about the user or data from other sites or stored locally. The ability for the sharing site to do this would depend on what exactly the user shared, with full screen sharing giving a malicious sharing site the most flexibility to harvest information. There are some circumstances when this harvesting would be unnoticeable by the user.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Whiteboard: [pending secreview]
You need to log in before you can comment on or make changes to this bug.