You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If designed poorly, this may risk exposing end-users to clickjacking attacks. E.g. if the target window or tab is obscured and isn't focused immediately, then a malicious page might anticipate or guess its location before it is brought to front and lure users with a well-placed button.
Without challenging this being implementation defined, we should mention clickjacking concerns and give guidance.
Particularly, focusing after capture has started seems worse, as a malicious capturer can then look at the displaySurface to determine what is being captured and position their lure button more optimally to hit a certain target button.
In practice, today's browsers seem to be doing a good job here, switching focus so immediately that there's little time for users to click any misrepresentations, so this is more to make sure the spec is thorough and have something to point at in new issues like #190 where this initially came up.
The text was updated successfully, but these errors were encountered:
Though it's unspecified, all browsers that support
"window"and"browser"displaySurfaces focus the captured window and/or tab either immediately before or immediately after getDisplayMedia success (in Firefox it's after, but in Chrome it's had to tell because its prompt blurs the page).If designed poorly, this may risk exposing end-users to clickjacking attacks. E.g. if the target window or tab is obscured and isn't focused immediately, then a malicious page might anticipate or guess its location before it is brought to front and lure users with a well-placed button.
Without challenging this being implementation defined, we should mention clickjacking concerns and give guidance.
Particularly, focusing after capture has started seems worse, as a malicious capturer can then look at the displaySurface to determine what is being captured and position their lure button more optimally to hit a certain target button.
In practice, today's browsers seem to be doing a good job here, switching focus so immediately that there's little time for users to click any misrepresentations, so this is more to make sure the spec is thorough and have something to point at in new issues like #190 where this initially came up.
The text was updated successfully, but these errors were encountered: