-
Notifications
You must be signed in to change notification settings - Fork 38
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Should include / require spoofing protections #182
Comments
Thanks for your feedback! The only text we have is quite short indeed.
@mounirlamouri We've talked a lot about spoofing when thinking about arbitrary HTML in Picture-in-Picture. What are your thoughts on elaborating on this topic in the current spec? |
Sounds good. Also, I appreciate that limiting to |
I don't think at the moment these concerns are likely to lead to something concrete. The website wouldn't receive mouse events, hover, focus, or blur on the PIP window, thus making a lot of potential abuse very hard to do. When the user hover the UI, the UA would show its own media controls, making it very hard for a website to make it look like something it isn't. We can add language to detail why we think this is entirely fine but I would rather not add any requirements like attributions that do not feel needed atm. |
PiP window can be spoofed by capturing the PiP window with One ironic "fingerprinting" vector of PiP at Chromium is the implementation of the recommendation of a maximum PiP window size, which means that an "attacker" can determine the maximum screen width and height of the device by expanding the PiP window to maximum dimensions. Perhaps that is not a concern, as that is possible using other means, yet still a way to "fingerprint" device screen maximum dimension using PiP. That particular method of "fingerprinting" is not necessarily possible at Mozilla browsers implementation of PiP, which does not follow that recommendation. |
|
@mounirlamouri Yes, that is true, as indicated
It is also true that PiP controls distinguish PiP window, a potential guard against PiP window being spoofed, unless the "Back to tab", "Play", "Pause", "Close", "Play from the beginning" controls are spoofed, in which case clicking on spoofed controls could be an attack vector if user clicks the spoofed controls, where only one click is needed to Am not sure how a PiP window could be constructed via UI which could not be spoofed. Chromium and Firefox provide their own version of UI notification for If the PiP controls themselves are consistent and reliable then this issue should not be a concern. One option to address the concerns at OP would be to specify that a unique watermark - that is not recorded if the PiP window is captured by MediaRecorder - The watermark can be as simple as the user-agent text or timestamp of the initiated PiP session using user-selected font for disambiguation and certainty; a user-supplied image settable at Settings; or default icon in the configuration folder of the browser. If this issue is not really a concern nor should a restriction on PiP window be a concern, as the same rationale applies, or does not apply. |
So, it can be made to confuse users, but it's not interactive in any meaningful way. To @mounirlamouri points above, it seems like adding such UI requirements would be too extreme. That's not to say that a browser couldn't put such mitigations in place to protect their own users, but it seems onerous to impose that on every UA. I'm personally not sure there is anything actionable here. We can mention that it could be used to spoof things, but it's not interactive so there's not much an attacker could do. |
This won't be in scope for this API, so we'll update the spec and/or explainer as needed to clarify. |
I agree, that if this capabilitiy is removed (and not forward promised) then most of the concern goes away here, and i'm fine closing the issue one the change is in |
As implemented in Chromium browsers, there is currently no browser chrome to cleanly distinguish a PinP window from other, non browser windows. Further, bc the PinP window floats over everything else, it looks privileged and is not obviously tied to a browser / frame / context.
This opens up the ability for websites to spoof privileged system dialogs, along with other non-browser applications, that the user may have different trust levels with then a browser page.
The current restriction to
<video>
mitigates the worst cases (e.g., "MacOS needs your password" style forms), but 1) it seems possible to spoof / confuse with just video events, and 2) the spec says that arbitrary HTML may be forthcoming.The spec should require implementors to add unambiguous, un-page-reachable decoration to the PinP window, so that users can clearly know 1) that its a PinP window and not any other kind of dialog, and 2) which browsing context owns it.
Apologies if there are already such affordances in the text, though on two read throughs I don't see any thing in this area.
The text was updated successfully, but these errors were encountered: