On Thu, Mar 12, 2015 at 9:42 PM, Boris Zbarsky <bzbar...@mit.edu> wrote: > On 3/12/15 3:31 PM, Aryeh Gregor wrote: >> >> 2) Attacker opens a background tab and navigates it to http://b.com (I >> can't think of a JavaScript way to do this, but if there isn't one, >> making a big <a href="b.com" target=_blank> that covers the whole page >> would work well enough) > > This is presuming user interaction. I agree that attacks that rely on user > interaction are also a problem here, but I'm _really_ scared by the > potential of no-interaction needed attacks, which can happen when the user > is not even actively using the computer. Maybe it's just me.
What's the use of taking a picture if the user isn't actively using the computer? Also, the user will almost certainly return to the computer at some point, and the attacker can probably wait till then. On Thu, Mar 12, 2015 at 10:53 PM, Eric Rescorla <e...@rtfm.com> wrote: > Yes. User consent failure represents a large fraction of failures on > video conferencing sites. Hmm. I guess I'm not qualified to say whether this is worth it, but it still does scare me. Would these sites care if they have to be HTTPS? > Also, continually prompting users for > permissions weakens protections against users granting consent > to malicious sites. > > See also Adam Barth's > "Prompting the User Is a Security Failure" at > http://rtc-web.alvestrand.com/home/papers Thoroughly agreed, and that is exactly what this proposal would do -- make users click through lots of extra permissions dialogs. _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
