Design Review #609

#609: Early TAG design review for captureTab

Opened Feb 12, 2021

I'm requesting a TAG review of capture-current-tab.

Summary: in a number of scenarios (most prominently sharing Web slides in a Web teleconference), offering the possibility to video-capture the current tab (or a cropped view of the current tab) provides a smoother and easier to understand UX than what's possible using the Screen Capture API. The WebRTC WG has rough consensus that this is a useful scenario to address and is exploring approaches to enable that scenario; we are seeking input from the TAG on how to do that safely and consistently with the rest of the platform.

Explainer: Two rough approaches have been discussed:
- getCurrentBrowseringContextMedia - explainer at https://docs.google.com/document/d/1CIQH2ygvw7eTGO__Pcds_D46Gcn-iPAqESQqOsHHfkI/edit#heading=h.bj2aavkeqqud related discussions at https://github.com/w3c/mediacapture-screen-share/pull/148 and https://github.com/w3c/mediacapture-screen-share/issues/156, with concerns around cross-origin protections (see below)
- getTabMedia() secured by COEP sketched in https://docs.google.com/presentation/d/1CeNeno5XuDhm1mpnVyE9eT14YKZgZUtgQsJfC8uqEpA/edit#slide=id.gaef31c926d_1_72 (slides 16-28)
Security and Privacy self-review The gist of our request for input is on the privacy and security trade-off given that in a number of cases, the content to be captured from a given tab will include cross-origin content (e.g. Web slides that integrate a video hosted on a streaming service), possibly nested several times.

In general, we recognize that an API that allows to capture a single tab reduces some privacy risk compared to the generic screen sharing API (with less risk to share unintended content), but creates a bigger security attack surface where a Web site could embed third-party content and social-engineer the user to get it captured to gain access to cross-origin information.

In particular, there is active discussion on whether embedded origins should opt-in or opt-out of that possibility: https://github.com/w3c/mediacapture-screen-share/issues/156

The trade-off is discussed in slides https://docs.google.com/presentation/d/1CeNeno5XuDhm1mpnVyE9eT14YKZgZUtgQsJfC8uqEpA/edit#slide=id.gaef31c926d_1_37 from 11 to 28
GitHub repo (if you prefer feedback filed there): https://github.com/w3c/mediacapture-screen-share/
Primary contacts (and their relationship to the specification):
- Elad Alon (@eladalon1983, Google), Jan-Ivar Bruaroey (@jan-ivar, Mozilla) have been shepherding the discussions in this space
Organization/project driving the design: WebRTC WG

Further details:

I have reviewed the TAG's API Design Principles
The group where the incubation/design work on this is being done (or is intended to be done in the future): WebRTC WG
The group where standardization of this work is intended to be done ("unknown" if not known): WebRTC WG
Existing major pieces of multi-stakeholder review or discussion of this design: (see above)
Major unresolved issues with or opposition to this design: (as described above, the security model for cross-origin content)
This work is being funded by: N/A

We'd prefer the TAG provide feedback as (please delete all but the desired option): 🐛 open issues in our GitHub repo for each point of feedback

Discussions

2021-09-Gethen

Minutes

Sangwhan: 609 we're supposed to provide feedback on path forward in terms of security. Breaks the origin model?

Dan: you can already share the screen? If you're sharing the screen what's the difference with sharing the tab? if you're sharing the screen that has that tab on it your'e doing the same thing. Firefox already lets you share screen.. you're not sharing the DOM, you're sharing an image of what's in that tab. The pixels.

Sangwhan: there's a slidedeck.. the more secure proposal.. it was quite subtle but valid, but I don't remember the details.

Dan: we could ask for additional information and with that we can close the 625.. we're not being asked to review 625..

2021-10-25

Minutes

Dan: don't know what the latest is [reaches out to Dom]

Dan: let's discuss more at the plenary.. Dom has closed it?

[a wild Dom appears]

Dan: what's the situation? Competing issues 609 and 625.. it looks like there's an agreed proposal for the future but an interim thing that Chrome is doing. We closed 625 saying we have concerns with an interim thing and we encourage them to do work in web rtc.. they said they intend to

Dom: for 609, a specific set of questions on the security properties, I closed because I think we've got convergance on the approach we need to take is one that requires opt in by websites to be captured, that's what's going to emerge hopefully soon in this new repo where this getViewportMedia spec is going to be developed. My sense, I will wait to see, but my sense is that there is now convergence in the web rtc wg in that direction. I'm not entirely clear whether the interim proposal is still going ahead. Their concern is that they don't think websites are going to adopt this new opt in mechanism in a short timeframe so they want to use this capture tab from google presentation that's going to fail in a large number of cases in a way that is obscure to developers and users. That was the motivation, how they intend to deal with that problem I'm not clear. I think the TAG pushback was extremely useful in getting more convergence in the wg, but I'm not sure where they've landed yet.

Dan: sounds positive. We shouldn't worry until a new review request comes our way?

Dom: yes