LGTM1 On Tuesday, September 10, 2024 at 3:36:50 PM UTC-7 Reilly Grant wrote:
> LGTM as an IWA OWNER (3x LGTM from Blink API OWNERS are still required > according to the IWA-specific API launch process > <https://www.chromium.org/blink/launching-features/isolated-web-apps/>). > > This feature has been an interesting case study for when to restrict a > capability to IWAs because the two underlying components of it, capturing a > screen and enterprise policies to control a permission, exist in other > features without requiring such drastic security measures. In > consultation with the Security reviewers however we found that the > combination of a requirement to capture all screens (which is more > dangerous than normal screen capture because it doesn't allow the user to > differentiate between shared and unshared content) and an administrator > control (which removes user agency to decide whether their screen is > displaying sensitive information) makes this feature a particularly > attractive target for an attacker and necessitates the code integrity > protections provided by Isolated Web Apps. > Reilly Grant | Software Engineer | reil...@chromium.org | Google Chrome > <https://www.google.com/chrome> > > > On Tue, Sep 10, 2024 at 7:39 AM 'Simon Hangl' via blink-dev < > blink-dev@chromium.org> wrote: > >> Contact emails >> >> simo...@google.com, swethasiva...@google.com >> >> Explainer >> >> https://github.com/screen-share/capture-all-screens/blob/main/README.md >> >> Specification >> >> https://screen-share.github.io/capture-all-screens >> >> Design docs >> >> https://screen-share.github.io/capture-all-screens >> >> https://github.com/screen-share/capture-all-screens/blob/main/README.md >> >> >> https://docs.google.com/document/d/1XB8rQRnY5N8G2PeEcNJpVO0q22CutvwW8GGKCZ1z_vc/edit?usp=sharing >> >> Summary >> >> Capture all the screens currently connected to the device using >> getAllScreensMedia(). >> >> Calling getDisplayMedia() multiple times requires multiple user gestures, >> with the user manually selecting the next screen each time, and without a >> guarantee to the app that all screens were selected. getAllScreensMedia() >> improves on all of these fronts. >> >> (As this feature has extreme privacy ramifications, it is only exposed >> behind an enterprise policy, and users are warned before recording even >> starts, that recording *could* start at some point.) >> >> >> Blink component >> >> Blink>Media>GetAllScreensMedia >> <https://g-issues.chromium.org/components/1637013> >> >> TAG review >> >> https://github.com/w3ctag/design-reviews/issues/856 >> >> TAG review status >> >> TAG has expressed concerns about exposing such a powerful capability on >> the web. We mitigate their concerns by moving the API to Isolated Web Apps >> and only exposing it to apps that are explicitly allowlisted by the device >> owner. >> >> Chromium Trial Name >> >> GetAllScreensMedia >> >> Link to origin trial feedback summary >> >> https://github.com/screen-share/capture-all-screens/issues >> >> Origin Trial documentation link >> >> https://github.com/screen-share/capture-all-screens >> >> Risks >> >> Interoperability and Compatibility >> >> This API is only available to origins allowlisted by administrators >> through a policy. The policy itself is non-standard, limiting even >> theoretical interoperability. This API rejects requests from pages that are >> not allowlisted by an administrator. The likelihood of this API being >> adopted by a browser that does not provide administrators mechanisms to >> manage clients is low. >> >> >> Gecko: N/A - given that the API is limited to managed configurations, >> it's not clear that requesting a position is needed >> >> WebKit: N/A - given that the API is limited to managed configurations, >> it's not clear that requesting a position is needed >> >> Web developers: Positive ( >> https://github.com/screen-share/capture-all-screens/issues/9) >> >> Other signals: >> >> Ergonomics >> >> No >> >> >> Activation >> >> The challenge for developers is the limitation of the API to origins >> allowlisted by an enterprise policy. >> >> >> Security >> >> 1. >> >> Risk of malicious sites exploiting the API and gaining access to >> sensitive information on users' devices. This risk is mitigated by the >> API >> only being accessible to origins allowlisted by an enterprise policy. >> 2. >> >> Risk of an allowlisted site being compromised to gain access to >> sensitive information on users’ devices. This risk is mitigated by the >> API >> only being accessible to Isolated Web Apps. >> 3. >> >> Risk of users loading private information that gets recorded and made >> available to apps affiliated with their device's admin. This risk is >> mitigated by informing users that recording might start at any moment >> before the API becomes accessible. (In CrOS, this warning is delivered in >> the log-in screen, and when users log-in despite the warning, this is >> tantamount to assent.) >> 4. >> >> Risk of users forgetting that their screens are being recorded. This >> risk is mitigated through a persistent notification. >> >> >> >> WebView application risks >> >> N/A (No change in behavior for existing APIs). >> >> >> Debuggability >> >> Will this feature be supported on all six Blink platforms (Windows, Mac, >> Linux, ChromeOS, Android, and Android WebView)? >> >> No >> >> This API is initially implemented on CrOS, where demand for it is >> greatest, and where we have the most flexibility in offering users early >> warning that their screens may be recorded if they proceed past the log-in >> screen. Lessons learned from shipping this API on CrOS will be used when >> deciding how to correctly implement such warnings on other platforms. >> >> >> Is this feature fully tested by web-platform-tests >> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >> ? >> >> No, as WPTs don’t support setting of managed policies. The API is tested >> by a number of unit- and browser- tests (Test files >> <https://source.chromium.org/search?q=getallscreensmedia%20f:test.cc%20-f:out%2F&sq=> >> ). >> >> >> DevTrial instructions >> >> https://github.com/screen-share/capture-all-screens/blob/main/HOWTO.md >> >> Flag name on chrome://flags >> >> chrome://flags#enable-get-all-screens-media >> >> Finch feature name >> >> GetAllScreensMedia >> >> Non-finch justification >> >> This feature is only available through active enabling by admin policy >> and can be disabled the same way at any time. >> >> Requires code in //chrome? >> >> True >> >> Tracking bug >> >> https://issues.chromium.org/issues/40216442 >> >> Launch bug >> >> https://launch.corp.google.com/launch/4276771 >> >> Measurement >> >> As this is a managed feature, monthly active users can be measured and >> are displayed at go/contact-center-dashboard >> <https://goto.google.com/contact-center-dashboard> (Googlers only). >> >> Availability expectation >> >> Feature is available only on ChromeOS for the foreseeable future. >> >> Adoption expectation >> >> We anticipate this feature being used by partners in the contact center >> space (or other areas that have to comply with regulation or established >> usage patterns that require screen capture). >> >> Adoption plan >> >> There is already a significant number of developers that are working on >> integrating this feature in their products (beyond the developers that >> expressed public interest here >> <https://github.com/screen-share/capture-all-screens/issues/9>). >> >> Non-OSS dependencies >> >> At this time, this feature is only enabled through the Chrome admin panel >> <https://admin.google.com/>. >> >> Sample links >> >> https://github.com/screen-share/capture-all-screens/blob/main/HOWTO.md >> >> https://github.com/screen-share/capture-all-screens/blob/main/README.md >> >> Estimated milestones >> >> Shipping on desktop >> >> 137 >> >> Origin trial desktop first >> >> 118 >> >> Origin trial desktop last >> >> 128 >> >> Origin trial extension 1 end milestone >> >> 131 >> >> DevTrial on desktop >> >> 116 >> >> Note there is a gap between the end of the origin trial (M131) and the >> launch of this API (M137). Developers are currently using this API in PWAs >> via OT and we agreed with Blink owners (assuming substantial progress on >> the launch of this API in Isolated Web Apps) to extend the OT until >> (including) M136 to enable developers to move from PWAs to IWAs. Please >> refer to this thread >> <https://groups.google.com/a/chromium.org/g/blink-dev/c/HErdlr3e_V0/m/WAey1zq5AAAJ> >> >> for further information. >> >> Anticipated spec changes >> >> No open issues and no anticipated changes. >> >> Link to entry on the Chrome Platform Status >> >> https://chromestatus.com/feature/6284029979525120?gate=5610053803966464 >> >> Links to previous Intent discussions >> >> Intent to Prototype: >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAEdDZo9N354i6eST0x19TXwpeBtgs5_gJUYVF%2BTKLpiJySDADg%40mail.gmail.com >> >> Intent to Experiment: >> https://groups.google.com/a/chromium.org/g/blink-dev/c/6TRT0XsVOE4/m/NOm-YEQCAgAJ >> Intent to Extend Experiment 1: >> https://groups.google.com/a/chromium.org/g/blink-dev/c/HErdlr3e_V0 >> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to blink-dev+unsubscr...@chromium.org. >> To view this discussion on the web visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAP0TkgEM43oxOSdADK5upZauT9HgGnse4AfS5r403kKs9uoi8Q%40mail.gmail.com >> >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAP0TkgEM43oxOSdADK5upZauT9HgGnse4AfS5r403kKs9uoi8Q%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/aecf44e6-c464-4cc9-bb8d-07b284ad2f61n%40chromium.org.
