Re: [rtcweb] Notes on security for browser-based screen/application sharing

Stephen Farrell <> Fri, 22 March 2013 15:44 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A769521F8E4B for <>; Fri, 22 Mar 2013 08:44:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -102.524
X-Spam-Status: No, score=-102.524 tagged_above=-999 required=5 tests=[AWL=0.075, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id wbbrGbGJdY1W for <>; Fri, 22 Mar 2013 08:44:44 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id C8C3121F8E12 for <>; Fri, 22 Mar 2013 08:44:43 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 38AC8BE7B; Fri, 22 Mar 2013 15:44:22 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id SK0BoqhWoqqP; Fri, 22 Mar 2013 15:44:17 +0000 (GMT)
Received: from [] (unknown []) by (Postfix) with ESMTPSA id 56E0DBE47; Fri, 22 Mar 2013 15:44:17 +0000 (GMT)
Message-ID: <>
Date: Fri, 22 Mar 2013 15:44:17 +0000
From: Stephen Farrell <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130308 Thunderbird/17.0.4
MIME-Version: 1.0
To: Eric Rescorla <>
References: <> <> <>
In-Reply-To: <>
X-Enigmail-Version: 1.5.1
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
Cc: "Cullen Jennings (fluffy)" <>, "" <>, "" <>
Subject: Re: [rtcweb] Notes on security for browser-based screen/application sharing
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 22 Mar 2013 15:44:45 -0000

A related question, apologies if this is well known
already, or it if fits more within the W3C than here.

Are there other things on the user's device that might
end up being shared? E.g. accelerometers or other sensors.
There have been papers demonstrating that access to such
information can reveal lots of things, e.g. passwords.

I also wonder what's supposed to happen to the camera
and mic if a screensaver kicks in. (Thinking again
that a password might be entered at that point and that
the remote end might be able to extract that from
noise/arm movement if the camera/mic are still on.)


On 03/22/2013 02:17 PM, Eric Rescorla wrote:
> On Fri, Mar 22, 2013 at 6:50 AM, Cullen Jennings (fluffy)
> <>wrote:
>> One comment on this from a requirements point of view…
>> Clearly sharking the "desktop" has far more security concerns that sharing
>> a single applications such as PowerPoint. All the use cases I am interested
>> in only need to share an application not a desktop. I think we should
>> separate the handling of permissions along these lines. So I would be fine
>> with "share desktop" needed an explicit grant of permission every time it
>> was invoked (preferably by the user selecting this as part to choosing what
>> to share in a browser chrome window). On the other hand, when sharing an
>> application I might be OK with a persistent permission based on an install
>> model but when I think about the real uses cases, I'm not sure that is
>> needed if we have a good browser based dialog box to pick what will be
>> shared.
> The main point of my note is that the user has basically no idea what
> sharing
> the browser means. I don't see how this is remediated by a dialog box
> telling them that they are sharing the browser.
>> When the applications being shared is the browser there are also the
>> additional problems as you point out. My view of the best way to solve
>> these would be to scope the "application" being shared to the origin. What
>> I mean by this is assume that I have my browser open to two webpages, one
>> with an origin of and the other to and I am also
>> running powerpoint and word. When the browser pops up a dialog box asking
>> me what I wanted to share, it would give me 5 choices "Firefox
>> (", "Firefox (, "Word", "PowerPoint", and
>> "Everything" and let me pick.
> This doesn't sound very implementable. First, if you're sharing primarily
> by pixel
> capturing out of the window, trying to figure out which pixels represent
> which
> origins is going to be a huge pain for the implementor. Second, many sites
> as a practical matter are composed of content from multiple origins
> (images out of a CDN, domain sharding, etc.) The result of what you propose
> is going to be that such sites will not render properly when shared. I
> suspect that sites will simply ask for "The browser".
> -Ekr
> _______________________________________________
> rtcweb mailing list