Should we support strings in addition or in lieu of opaque identifiers? #46
Comments
|
Some general thoughts against user agent generated strings. To avoid this, using web page provided IDs or using CropTarget serialisation seem more promising approaches. |
I think that'd be for the best. Modulo the next points.
I much prefer UA-assigned strings. App-assigned strings would mean we have to consider collisions (both in spec and in implementation). If the user agent assigns, it can trivially guarantee no collisions by randomizing a UUID. Less to worry about. Simple.
So long as we never assign the same string value to a new Element, what's the problem? And if we randomize a UUID, that's easy to guarantee.
As the identifier will be attached to the Element, we can GC when the Element is GCed. Am I missing some complication? |
A CropTarget life can be much shorter than an Element. This is one thing that makes CropTarget appealing. I believe CropTarget serialisation/postMessage should be sufficient for all current and future scenarios. |
|
Practically speaking, I think Theoretically speaking, I don't yet understand your concerns over ID lifetime; if you have the time to educate me, I'd be happy to hear more. Namely: const token = makeToken(document.getElementById('some_id'));
const uuid = makeUUID(document.getElementById('some_id'));Assume the relevant element is garbage-collected but |
I disagree here, it does not make sense to do stringification on top of CropTarget.
The interesting case is when the element is still present, not when it went away.
If you GC You cannot recreate a CropTarget like you can with strings. |
Whether we deprecate the token in favor of a string, or add stringification on top, is an issue for future discussion. At the moment, what's important for me is that both options are technically feasible.
What's interesting about that case?
Recreating the UUID is equivalent to never letting go of the CropTarget. What I'm missing is a scenario where the app would be forced to let go of CropTarget, but could somehow (i) keep hold of the UUID, which is easy, AND (ii) have it still be meaningful, which is... impossible, I think...? What am I missing?
We've specified that CropTarget holds a weak-reference to the Element. If the Element is GCed, the CropTarget becomes meaningless. (And btw - that's another way GC can be observed here, regardless of whether we go with a UUID or a CropTarget.) |
If element went away, you can clear the mapping between CropTarget/uuid and the element. No different between CropTarget and UUID.
Exactly, and that is not great. We like to free memory as soon as we can.
No. Before being GCed, the element will be detached from the DOM. At that point, cropping/cropTo should give us the same result, whether the element is GCed or not. |
|
One advantage of keeping it as an opaqueToken is that from the developer point of view you can be pretty certain of it's provenance - it probably came in a postMessage via a message port you opened. This makes it easy to decide how much to trust it. |
|
The benefit of Stringifying is that it allows the token to round-trip via a server or two. But this risks forcing apps to speculatively send their cropTargets to all the big players on the off chance that their page may be being captured, producing a potential privacy honeypot. |
Why would it be more/less trustworthy if you got it as CropTarget or as string-which-is-a-UUID? Could you please lay out a concrete problematic case that developers would need to be wary of?
Or they could use Capture Handle.
|
|
I can't tell if it is more or less trust worthy - that's the point - but |
|
As to a specific risk - one I have in mind goes like this: A major Video Conference app chooses to offer a server based webAPI for co-operating web apps to submit their cropTargets (to avoid cross origin issues). Perhaps it even penalises sites that don't with a user warning or something. Now suddenly every app that ever wants to be capable of being screenshared without the warning will have to (speculatively because it can't know the user intent to capture it) always send cropTargets to the video conference server's API for every user session - even if this user has never and will never use that conference server. None of this happens with an opaque token because unless the user actually has a session with the videoconference app, there is nowhere to post message the token to, so no stats can be collected. |
Assume we specify:
Tracking becomes impossible unless you actually get the user to capture the tab from which the CropTarget comes, which is sufficiently rare and user-driven as to be uninteresting. (At that stage, tracking using CropTarget is the least of your worries; you have plenty of other surfaces.)
|
|
There are 2 issues here, which I put in separate comments above, and I'll try and keep separated again here. From the point of view of the recipient of a cropTarget (e.g. a video conference app), I claim it is much easier to be sure that it is genuinely from where it appears to be than a UUID string that may have been passed through several layers of servers. No amount of improvement of the rules on creation of the CropTarget UUID makes any difference to proof of provenance. |
|
To be clear, my second point is about the threat of a theoretical VC service that uses the arrival of cropTarget UUIDs as a way of collecting usage data on its competitor's other apps (say slideshow apps) - especially interestingly of users who don't use the VC app, but the slideshow vendor still has to send cropTargetUUIDs anyway on the off chance that the user might use the VC app. It doesn't need to actually apply the UUIDs in a live capture, it still gets usage data. The existence of cropTargets as UUIDs enables this risk in a way that an opaque token prevents. |
So the video conferencing application would twist the arm of the entire Web by giving degraded service to those who do not comply with its demand to be tracked? What's more important for Wikipedia - their compliance with various regulations, or the off-chance that someone might be tab-sharing them? Your hypothetical video conferencing tracking-tyrant would find that:
I don't think this is a credible concern. But I am open to hearing more and having my mind changed. |
|
Here is an alternative version of the attack you proposed, which would not require any CropTarget. It works equally well with today's means:
Since this attack is equally technically feasible with/without serialization, I believe we can now forget about this concern. |
|
Sure, but I'm afraid my scenario is plausible and yours hopefully isn't because it involves a lot of compute cycles to add and detect watermarks and they offer no user benefit in return for breaking e2e crypto promises. CropTarget UUIDs are lightweight and offer apparent user benefits. My point is that you can get all the user benefit without the risks by keeping it as an opaque token. My example wouldn't be described as tracking, it would be 'enhanced collaboration', but of course once the data arrived it would be irresistible to use it in additional ways. |
The UUID is still opaque if it observes these guidelines. I believe the crux of your concern is not opaqueness, but rather transmissibility to remote servers. I believe transmissibility to be desirable, because it allows cross-origin collaboration that would easily hook up to existing infrastructure. You have brought up a possible abuse scenario. I don't personally see it as credible, but we can have different opinions, that's fine. I have shown that technically, the same concern exists already; however, now you believe my scenario is not credible. (That's also fine.) How do we resolve this? Do you have a suggestion for determining which concerns are credible and which are not? |
|
Yes, you are right - Transmissibility is the word I should have been using all along. As to how to evaluate such concerns - I guess there are a couple of axes .
Can you outline a scenario where lack of transmissibility would prevent cooperation between cross-origin services in the same user agent session ? I think the credibility is partly to do with a how small the steps are that you have to take to get to the risk. |
Video conferencing is big in our world, but it's not so big that Wikipedia and other non-video-conferencing sites would worry that they must comply with arbitrary demands for fear of tab-sharing not working too well. Let's run a thought experiment. You and I together quit our current jobs and start a new video-conferencing application. We're tremendously successful and gain 125% of the market - we're just that good. Now we write an email to Wikipedia and explain to them that, unless they start sending us CropTargets whenever they do any page-load, we will penalize them! They write back - "penlize how?" To which we respond - "we will annoy our OWN users with anti-Wikipedia messages whenever they try to tab-share Wikipedia pages!! (Not if they share a windows or the entire screen, though. We have technical limitations and decided not to use watermarking to circumvent them; we'll only harm your tab-sharing game.)" What do you think happens next? I think we might give someone in Wikipedia the laugh of their life. But I don't think they'll bother emailing us back. After all - why should they care? What percentage of Wikipedia page loads culminate to a user trying to tab-share that page? Also - how long will our users stick with us if we do follow-through on our threat? To summarize - I don't think this is a real risk.
I can outline a scenario and simultaneously give a shoutout to the greatest musical genius of our generation.
Meet captures YouTube running in another tab. YouTube wants to send over a CropTarget focusing on the video and cropping away the list of suggested next videos. Meet could then show the user controls to crop to the video or share the entire tab. [1] The benefit here is that the user could easily hide their playlist, which they might find embarrassing. But how can youtube.com send a message to meet.google.com? Enter shared cloud infrastructure...[2] -- |
|
As for legitimate purposes for sending CropTarget optimistically to unknown capturers - if these purposes are truly legitimate, then the real question is - how do we provide them in such a way, that sites can reap the benefits without:
I think these are great questions, and we should tackle them as follow-ups. (Exposure using Capture Handle is my answer there, btw.) The use-case outlined in the second half of my previous message, assumes the capturer/capturee have an intimate relationship despite being cross-origin, and stringification solves that problem simply and easily. |
So vimeo users will continue to get their playlists shown. Unless vimeo also participate by sending API messages to an open meet.google.com. |
I am calling into question your basic premise. I don't believe that a non-negligible number of sites would ever send stringified CropTargets optimistically, because that's just too expensive, and the upside is nil in 99.9999% of the cases. I think the only case where CAPTUREE would send CAPTURER a CropTarget, is if:
As such, I still hold that the risk of tracking by soliciting the entire Web to send you CropTargets is unfounded. |
|
I don't (entirely) disagree. But the practical effect is the same - either vimeo performs worse in meet than youtube does or they optimistically send cropTargets. Because they don't share server infra/trust with meet. |
|
However.... I have had an idea - what if the CropTarget UUID was also made visible as a property of the track. Then an app can set an 'area of interest' CropTarget - and any capturing apps can retrieve it and apply the CropTarget or not at it (or the user's) discretion. |
Do you mean a property of the track via being a property of Capture Handle? If so, yes, I've had this idea too. The idea is basically for the capturee to expose a mapping like |
|
In general, I agree with @steely-glint. An alternative mentioned during past discussions is to either postMessage the CropTarget and/or add new API via Capture Handle API to expose CropTarget to capturers. For instance by allowing to pass serializable objects in addition to strings, or by allowing to open a MessagePort-based communication channel between a capturee and any capturer. |
|
I really like the idea of not needing to use post message at all and relying on other constructs we've already got access to. While discussing this with @steely-glint the other day I started thinking what those could be ranging from "let any page listening for a "createdCropTarget" event know about an available crop target" to "have a list of crop targets on a media stream track and also allow events to tell tab A that's already sharing tab B that tab B has a new crop target available" and then we get away from needing to talk about strings/opaque identifiers etc... when creating a crop target you could limit a crop target to a certain origin if you wanted your crop to only be available to your set of domains.... you'd also need to be able to set a description against crop targets so that an end user could select "I want to share the presentation and not the notes" - there would be no in-between server or post message for you to add any meta data - you'd be reliant on the browser to have that information in a crop target and give that information to the other tab etc. I'd kinda like to offer crop targets direct to a end user visually too - think about selecting a tab from the share your tab gui...... you select a tab that has active crop targets..... and it asks if you want to share the whole tab or a crop taget - giving the nice visual representation of that crop target just like they get for a tab.... this kind of media stream track wouldnt be allowed to remove that crop target as it had been explicitly shared. (but that's getting side tracked) Getting back to this topic.... how would this work? No access to crop targets until you have access to the media stream track that has corresponding crop targets associated with it.... see a list of available crop targets (and their descriptions etc) on the media stream track with a new event telling you about any new crop targets that have been made since the media stream track was initialised..... Maybe we could allow a crop target to have a user generated ID associated with it.... just like a description. that way Meet could still be told that google slides has a list of crop targets and one of them has a user generated ID of X so that Meet can auto crop to X..... Sorry for the brain dump.... |
|
@jan-ivar, during today's meeting, you asked "why not make the CropTargets stringable?" Tagging @alvestrand, @youennf and @dontcallmedom for visibility. |
|
Note - if a CropTarget() is stringable, there are only two ways to use that string that I can think of:
All the verification that this is a valid crop target that you're supposed to have access to would be in the "create a CropTarget" function. The stringification part alone is basically harmless, because it's mostly useless. |
CropTarget current proposal is basically an opaque wrapper around some kind of element identifier.
@eladalon1983 original proposal was to expose a string, with some use cases in mind that could take benefit of the identifier being a string.
The WG decided to move to an opaque identifier.
Since then, @eladalon1983 mentioned several times the string use cases with the potential idea to allow CropTarget stringification.
This raises a few questions:
The text was updated successfully, but these errors were encountered: