-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Identity] Don't reinvent postMessage #11
Comments
Does this expose any security risk that PostMessage does not? Again, this does not seem to be an adoption blocker. |
|
I'm not claiming a security risk here. Merely unfortunate redundant design that undermines the desired usage pattern. This is a mechanism for bootstrapping a message channel, which seems undermined if it's easier to use it as a message itself. I didn't find a general design principle about needlessly reinventing existing concepts, except for event handlers, but this seems like reasonable feedback to me. cc @annevk to see if there is a design principle that applies here.
By this rationale, the Capture Handle API itself seems unnecessary. Again, I'm not making a security claim here. |
I would also like to understand what the use case is for calling this method more than once. If this serves no purpose then we shouldn't allow it. I did find https://w3ctag.github.io/design-principles/#simplicity relevant here. |
Please read point number 3 in this message. |
This seems out of scope, and not necessary once a relationship has been established. |
I looked into this a bit:
I'm not sure what the requirements and tradeoffs are here, but it does seem like some more investigation is warranted. |
Before we proceed with the technical discussion of whether Wdys, @jan-ivar? |
Resurrecting this issue now that W3C-adoption has been unblocked and completed.
The capturer is already receiving every single pixel the capturee is drawing to the screen. These origins are reaching each other already.
I think that if we look closely, we'll see that a lot of APIs can be creatively used for transporting a message. Since in this case we're carrying a message from capturee to capturer, which is a direction in which communication is already possible, I don't see a problem. |
With capturee -> capturer communication, we have this flood of data running already. |
A drive-by suggestion: Maybe rate-limiting the calls to |
If it helps things along (@jan-ivar?), I am OK with adding rate-limiting initially (as a raised exception), but I'd then like to continue the discussion for removing it. Rationale: |
If we were doing rate-limiting, I'd rather do it on the notification end - for instance, change the description of setCaptureHandleConfig's event firing to something like: Queue a task to execute the following steps:
(idea courtesy Jan-Ivar's discussion of reflecting muting on mediacapture-transform) |
Agreed. A potential counter-point would be that this still allows a capturee to bombard the memory of the capturing application, but:
So I propose:
|
It's common for the top-level to be reloaded when users log in/out, but is it necessary? If not, then a user logging in/out/in is one case where calling |
sendCaptureAction is rate-limited because it requires transient activation and consumes user activation.
@yoavweiss Thanks, I think that's a good idea worth considering as a minimum. But I think the fact that (short of screen-scraping) no other cross-storage message channel exists in the platform today, merits concern. It's even superior to the messaging channel it's supposedly bootstrapping, which I guess would be:
I don't see who'd bother setting up the 2nd. if they can send local cross-storage instructions munged into I'd prefer single-use to start. We can always loosen it later, which is easier on web compat than tightening up mistakes.
That's a good question. I've not been impressed by other use cases mentioned offline, which included getting info to the capturer in time for the proposed "conditional focus" API. That's a legitimate problem, but seems deserving of a proper solution, not a hack like this. Maybe a shared |
Can you clarify what you mean by "cross-storage"? I'm not familiar with that term.. |
If I have missed the part of BroadcastChannel.postMessage's specification that forbids cross-tab communication, as of 2022-03-14, please help inform me.
I think this is a proper solution, and NOT a "hack".
I am sorry to hear that you were unimpressed. But I maintain that these are important use-cases, and I know Web-developers who would attest as much.
I don't see how that would work. (Also,
What information could theoretically change your mind? |
Issue #35 discusses another use-case for calling @aboba, is my Microsoft interested in this use-case? |
It's worth noting that these are moving towards communicating across StorageKeys, not origins. See https://github.com/wanderview/quota-storage-partitioning/blob/main/explainer.md#communication-apis, whatwg/html#5803 (comment), etc. |
I have some concerns about that. I'll reach out internally to discuss. |
@yoavweiss Sorry I meant cross-origin in the brave new world of storage partitioning (chrome, firefox, safari) which @miketaylr later linked to (thanks!) This will break the mailman iframe pattern.
Not cross-tab, but cross-origin. The opening paragraph on BroadcastChannel: "Pages on a single origin opened by the same user in the same user agent but in different unrelated browsing contexts sometimes need to send notifications to each other" |
We have discussed before how embedding a cooperating cross-origin "mailman" iframe could bypass the cross-origin restriction. (And in this context Storage Partitioning was brought up.) |
|
The way navigator.mediaDevices.setCaptureHandleConfig and track.oncapturehandlechange are defined, they create an unintentional broadcast messaging channel from capturee to all capturers (and all their track clones, wherever they may have been transferred). And due to #9 it works long after capture ends.
Capturee can send data like this:
Capturers receive data like this:
While the handle field is capped at 2k bytes, permittedOrigins is unbounded (with some munging).
This is awkward and there are ways to design APIs that do the same thing without such side effects, so we should do that. Otherwise someone somewhere will start relying on it, and then we have to support another alternative to postMessage forever.
Possible solution
I see no reason to allow a (top-level) document to call
navigator.mediaDevices.setCaptureHandleConfig
more than once with non-default values. Maybe throw instead?The text was updated successfully, but these errors were encountered: