Hacker News new | past | comments | ask | show | jobs | submit login

Please do not do this.

You should not instruct users to change flags in order to use this. This opens up fairly serious security loopholes as malicious websites can start screensharing without being instantiated by the user.

Instead of using the getUserMedia API directly, you should use Chrome's chooseDesktopMedia API to get a desktop capture source (the screen, a tab, or any application window). The chooseDesktopMedia API is available in Chrome 34+ and can be used to do desktop screen capture/share without asking the user to enable flags.

As of 6 hours ago, the flag (#enable-usermedia-screen-capture) has been removed and will not be present in Chrome 35 Stable. [Ref: https://codereview.chromium.org/270353002 & https://code.google.com/p/chromium/issues/detail?id=347641]

In any case, cool hack!




Another benefit of using cDM: more visitors to your site would be able to use your app right now instead of posting "Chrome vers. doesn't work" :-)

20% of the world (and likely an even larger percentage of HN users) already have cDM support! [http://caniuse.com/usage_table.php]


I was excited about this at first. I don't know of any simple way to record my screen without having to download decade-old software. A web-based solution like this would be amazing... Until I realized I'd have to follow a list of work-arounds just to get it working.

Hoping this is just the first trial run and the next iteration will get this resolved.


The getUserMedia API is still fairly early. If the OP used the chooseDesktopMedia API in concert with getUserMedia and built a Chrome Extension, you wouldn't have to do any of these work-arounds.

I expect an enormous number of Chrome Extensions that do all sorts of web-based screen recording & sharing in the coming months.


(yo Darshan!)

Correct me if I'm wrong but isn't that api an extension only api?

https://developer.chrome.com/extensions/desktopCapture


It does look like it is only for extensions. Does this mean it will now be impossible for users to use desktop sharing from web apps?

I don't really see the security problem. Right now there is a popup asking if you want to share your screen, and there is also a permanent warning at the bottom of the screen while the screen is being shared. Also it is only available on https sites. What possible security risk is there?


In M34, a user can still use getUserMedia with a screen media source as long as they enable the flag.

In M35+, the flag will no longer appear. Thus, the only way to get a screen media source (tab, screen, window etc.) in the first place is to use the chooseDesktopMedia API. That will give you a source id to use with the getUserMedia API.


(Hey Randall! :-)

Yes, it requires an extension and that's the way it ought to be. Explicit user-intent, properly sandboxed.

Allowing any website to arbitrarily capture your entire desktop screen (or any application screen) is an enormous security risk that shouldn't be taken lightly, so an extension seems like the right decision.


Here's the issue...our product is an html5 cross-platform web conferencing platform. Users simply click on a link to join a session. Our product isn't an extension - it's simply html and javascript.

So basically you're saying that we either need to change the architecture of our app for Chrome so that it is an extension, or else put the screen-sharing part into an extension. (I'm guessing our entire app would need to be an extension, due to 'sandboxing', although I'm not certain). To be honest I'm not sure why we should change to an extension just for chrome (and just to get screen sharing). It's a bit like telling us we need to rewrite our app in NaCl just for chrome :)

Ideally I would like a cross-platform screen sharing feature in getUserMedia, similar to how it worked in Chrome (but without the user having to set any flags).

I don't really buy the arguments in http://tools.ietf.org/html/draft-ietf-rtcweb-security-06#sec.... Worst case is a dumb user gives permission to screen share to a dodgy site which then reads their bank balance and/or emails (but can't get access to any passwords). If that's a concern then why not just have a small preview window showing exactly what is being shared?


Hi! I think you missed the security implications of the current getUserMedia model for screen access.

While you wish to have the easiest user experience (no extension, one click screen share/capture), this is a dangerous problem.

Let me explain... when a user currently enables the #enable-usermedia-screen-capture flag in Chrome, this allows any JavaScript on any webpage to capture a chromeDesktopSource such as a window or tab without being initiated or approved by the user.

Imagine a malicious website or advertisement that now calls getUserMedia and takes a screencap of your personal email account, bank account or private chat. The user may or may not notice the Chrome notice saying "http://website is sharing your screen" (paraphrased) but even if the user noticed it and pressed "Stop" the damage has already been done. It only takes a fraction of a second for a malicious app to screencap each browser tab.

By Chrome 35, you will no longer have to set any flags, but you will not be able to get the chromeDesktopSource without first going through the chooseDesktopMedia API.

Each time a website wants access to a Desktop Source (screen, tab, or window), it will have to explicitly ask the user for a source and permission via the Chrome dialog.

Does that make more sense now? Hope it helps.


One more clarification: this is for chromeDesktopSource - I do not believe you'll have to use chooseDesktopMedia or create an extension to get access to the webcam video or audio stream. This is just about desktop media (screen, tab or app window) access.


I can't find any reference to chromeDesktopSource anywhere - is that correct?

Currently there is a prompt every time when you request the desktop chromeMediaSource: 'screen' - it says something like 'Allow this web page to share your screen'. It definitely does not just grab your screen automatically with no prior warning.

According to the WebRtc bug report the ONLY way you will now be able to access the desktop is via an extension. Chrome are doing this because they believe there are too many risks in desktop sharing, and even putting a bigger, scarier warning isn't sufficient because many users apparently ignore warnings.


Even with security risk, this is a bit of a golden egg for automated selenium testing!




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: