LGTM3 On Wed, Sep 11, 2024 at 6:02 PM Vladimir Levin <vmp...@chromium.org> wrote:
> LGTM2 > > On Wed, Sep 11, 2024 at 12:00 PM Alex Russell <slightly...@chromium.org> > wrote: > >> LGTM1 >> >> On Tuesday, September 10, 2024 at 3:36:50 PM UTC-7 Reilly Grant wrote: >> >>> LGTM as an IWA OWNER (3x LGTM from Blink API OWNERS are still required >>> according to the IWA-specific API launch process >>> <https://www.chromium.org/blink/launching-features/isolated-web-apps/>). >>> >>> This feature has been an interesting case study for when to restrict a >>> capability to IWAs because the two underlying components of it, capturing a >>> screen and enterprise policies to control a permission, exist in other >>> features without requiring such drastic security measures. In >>> consultation with the Security reviewers however we found that the >>> combination of a requirement to capture all screens (which is more >>> dangerous than normal screen capture because it doesn't allow the user to >>> differentiate between shared and unshared content) and an administrator >>> control (which removes user agency to decide whether their screen is >>> displaying sensitive information) makes this feature a particularly >>> attractive target for an attacker and necessitates the code integrity >>> protections provided by Isolated Web Apps. >>> Reilly Grant | Software Engineer | reil...@chromium.org | Google Chrome >>> <https://www.google.com/chrome> >>> >>> >>> On Tue, Sep 10, 2024 at 7:39 AM 'Simon Hangl' via blink-dev < >>> blink-dev@chromium.org> wrote: >>> >>>> Contact emails >>>> >>>> simo...@google.com, swethasiva...@google.com >>>> >>>> Explainer >>>> >>>> https://github.com/screen-share/capture-all-screens/blob/main/README.md >>>> >>>> Specification >>>> >>>> https://screen-share.github.io/capture-all-screens >>>> >>>> Design docs >>>> >>>> https://screen-share.github.io/capture-all-screens >>>> >>>> https://github.com/screen-share/capture-all-screens/blob/main/README.md >>>> >>>> >>>> https://docs.google.com/document/d/1XB8rQRnY5N8G2PeEcNJpVO0q22CutvwW8GGKCZ1z_vc/edit?usp=sharing >>>> >>>> Summary >>>> >>>> Capture all the screens currently connected to the device using >>>> getAllScreensMedia(). >>>> >>>> Calling getDisplayMedia() multiple times requires multiple user >>>> gestures, with the user manually selecting the next screen each time, and >>>> without a guarantee to the app that all screens were selected. >>>> getAllScreensMedia() improves on all of these fronts. >>>> >>>> (As this feature has extreme privacy ramifications, it is only exposed >>>> behind an enterprise policy, and users are warned before recording even >>>> starts, that recording *could* start at some point.) >>>> >>>> >>>> Blink component >>>> >>>> Blink>Media>GetAllScreensMedia >>>> <https://g-issues.chromium.org/components/1637013> >>>> >>>> TAG review >>>> >>>> https://github.com/w3ctag/design-reviews/issues/856 >>>> >>>> TAG review status >>>> >>>> TAG has expressed concerns about exposing such a powerful capability on >>>> the web. We mitigate their concerns by moving the API to Isolated Web Apps >>>> and only exposing it to apps that are explicitly allowlisted by the device >>>> owner. >>>> >>>> Chromium Trial Name >>>> >>>> GetAllScreensMedia >>>> >>>> Link to origin trial feedback summary >>>> >>>> https://github.com/screen-share/capture-all-screens/issues >>>> >>>> Origin Trial documentation link >>>> >>>> https://github.com/screen-share/capture-all-screens >>>> >>>> Risks >>>> >>>> Interoperability and Compatibility >>>> >>>> This API is only available to origins allowlisted by administrators >>>> through a policy. The policy itself is non-standard, limiting even >>>> theoretical interoperability. This API rejects requests from pages that are >>>> not allowlisted by an administrator. The likelihood of this API being >>>> adopted by a browser that does not provide administrators mechanisms to >>>> manage clients is low. >>>> >>>> >>>> Gecko: N/A - given that the API is limited to managed configurations, >>>> it's not clear that requesting a position is needed >>>> >>>> WebKit: N/A - given that the API is limited to managed configurations, >>>> it's not clear that requesting a position is needed >>>> >>>> Web developers: Positive ( >>>> https://github.com/screen-share/capture-all-screens/issues/9) >>>> >>>> Other signals: >>>> >>>> Ergonomics >>>> >>>> No >>>> >>>> >>>> Activation >>>> >>>> The challenge for developers is the limitation of the API to origins >>>> allowlisted by an enterprise policy. >>>> >>>> >>>> Security >>>> >>>> 1. >>>> >>>> Risk of malicious sites exploiting the API and gaining access to >>>> sensitive information on users' devices. This risk is mitigated by the >>>> API >>>> only being accessible to origins allowlisted by an enterprise policy. >>>> 2. >>>> >>>> Risk of an allowlisted site being compromised to gain access to >>>> sensitive information on users’ devices. This risk is mitigated by the >>>> API >>>> only being accessible to Isolated Web Apps. >>>> 3. >>>> >>>> Risk of users loading private information that gets recorded and >>>> made available to apps affiliated with their device's admin. This risk >>>> is >>>> mitigated by informing users that recording might start at any moment >>>> before the API becomes accessible. (In CrOS, this warning is delivered >>>> in >>>> the log-in screen, and when users log-in despite the warning, this is >>>> tantamount to assent.) >>>> 4. >>>> >>>> Risk of users forgetting that their screens are being recorded. >>>> This risk is mitigated through a persistent notification. >>>> >>>> >>>> >>>> WebView application risks >>>> >>>> N/A (No change in behavior for existing APIs). >>>> >>>> >>>> Debuggability >>>> >>>> Will this feature be supported on all six Blink platforms (Windows, >>>> Mac, Linux, ChromeOS, Android, and Android WebView)? >>>> >>>> No >>>> >>>> This API is initially implemented on CrOS, where demand for it is >>>> greatest, and where we have the most flexibility in offering users early >>>> warning that their screens may be recorded if they proceed past the log-in >>>> screen. Lessons learned from shipping this API on CrOS will be used when >>>> deciding how to correctly implement such warnings on other platforms. >>>> >>>> >>>> Is this feature fully tested by web-platform-tests >>>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >>>> ? >>>> >>>> No, as WPTs don’t support setting of managed policies. The API is >>>> tested by a number of unit- and browser- tests (Test files >>>> <https://source.chromium.org/search?q=getallscreensmedia%20f:test.cc%20-f:out%2F&sq=> >>>> ). >>>> >>>> >>>> DevTrial instructions >>>> >>>> https://github.com/screen-share/capture-all-screens/blob/main/HOWTO.md >>>> >>>> Flag name on chrome://flags >>>> >>>> chrome://flags#enable-get-all-screens-media >>>> >>>> Finch feature name >>>> >>>> GetAllScreensMedia >>>> >>>> Non-finch justification >>>> >>>> This feature is only available through active enabling by admin policy >>>> and can be disabled the same way at any time. >>>> >>>> Requires code in //chrome? >>>> >>>> True >>>> >>>> Tracking bug >>>> >>>> https://issues.chromium.org/issues/40216442 >>>> >>>> Launch bug >>>> >>>> https://launch.corp.google.com/launch/4276771 >>>> >>>> Measurement >>>> >>>> As this is a managed feature, monthly active users can be measured and >>>> are displayed at go/contact-center-dashboard >>>> <https://goto.google.com/contact-center-dashboard> (Googlers only). >>>> >>>> Availability expectation >>>> >>>> Feature is available only on ChromeOS for the foreseeable future. >>>> >>>> Adoption expectation >>>> >>>> We anticipate this feature being used by partners in the contact center >>>> space (or other areas that have to comply with regulation or established >>>> usage patterns that require screen capture). >>>> >>>> Adoption plan >>>> >>>> There is already a significant number of developers that are working on >>>> integrating this feature in their products (beyond the developers that >>>> expressed public interest here >>>> <https://github.com/screen-share/capture-all-screens/issues/9>). >>>> >>>> Non-OSS dependencies >>>> >>>> At this time, this feature is only enabled through the Chrome admin >>>> panel <https://admin.google.com/>. >>>> >>>> Sample links >>>> >>>> https://github.com/screen-share/capture-all-screens/blob/main/HOWTO.md >>>> >>>> https://github.com/screen-share/capture-all-screens/blob/main/README.md >>>> >>>> Estimated milestones >>>> >>>> Shipping on desktop >>>> >>>> 137 >>>> >>>> Origin trial desktop first >>>> >>>> 118 >>>> >>>> Origin trial desktop last >>>> >>>> 128 >>>> >>>> Origin trial extension 1 end milestone >>>> >>>> 131 >>>> >>>> DevTrial on desktop >>>> >>>> 116 >>>> >>>> Note there is a gap between the end of the origin trial (M131) and the >>>> launch of this API (M137). Developers are currently using this API in PWAs >>>> via OT and we agreed with Blink owners (assuming substantial progress on >>>> the launch of this API in Isolated Web Apps) to extend the OT until >>>> (including) M136 to enable developers to move from PWAs to IWAs. Please >>>> refer to this thread >>>> <https://groups.google.com/a/chromium.org/g/blink-dev/c/HErdlr3e_V0/m/WAey1zq5AAAJ> >>>> for further information. >>>> >>>> Anticipated spec changes >>>> >>>> No open issues and no anticipated changes. >>>> >>>> Link to entry on the Chrome Platform Status >>>> >>>> https://chromestatus.com/feature/6284029979525120?gate=5610053803966464 >>>> >>>> Links to previous Intent discussions >>>> >>>> Intent to Prototype: >>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAEdDZo9N354i6eST0x19TXwpeBtgs5_gJUYVF%2BTKLpiJySDADg%40mail.gmail.com >>>> >>>> Intent to Experiment: >>>> https://groups.google.com/a/chromium.org/g/blink-dev/c/6TRT0XsVOE4/m/NOm-YEQCAgAJ >>>> Intent to Extend Experiment 1: >>>> https://groups.google.com/a/chromium.org/g/blink-dev/c/HErdlr3e_V0 >>>> >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "blink-dev" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to blink-dev+unsubscr...@chromium.org. >>>> To view this discussion on the web visit >>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAP0TkgEM43oxOSdADK5upZauT9HgGnse4AfS5r403kKs9uoi8Q%40mail.gmail.com >>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAP0TkgEM43oxOSdADK5upZauT9HgGnse4AfS5r403kKs9uoi8Q%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to blink-dev+unsubscr...@chromium.org. >> To view this discussion on the web visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/aecf44e6-c464-4cc9-bb8d-07b284ad2f61n%40chromium.org >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/aecf44e6-c464-4cc9-bb8d-07b284ad2f61n%40chromium.org?utm_medium=email&utm_source=footer> >> . >> > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+unsubscr...@chromium.org. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADsXd2NVJ469vLsTo1tmjtAM%2Bnu5mnELkkCeo7gFdHpSviLoBA%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADsXd2NVJ469vLsTo1tmjtAM%2Bnu5mnELkkCeo7gFdHpSviLoBA%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOmohSKMUKUd%3D3Q0%3DxnWgcw3CdT%2BUjmUO5%3DLNq2eLX-xFMzmRg%40mail.gmail.com.
