64

I am using Chrome 87 with Jitsi Meet 2.0, but I have noticed this behavior too with other setups. When I first enter a room, Chrome asks for the following permissions:

Use your microphone - Use your camera

Even if I click "Block" to deny these permissions, Jitsi still appears to have access to my entire screen when I click the "Share your screen" button, including other applications and even different virtual desktops. I looked through Chrome's settings, but I couldn't find anything related to screen sharing in the "Privacy and Security" section.

This raises the following questions:

  • How did Jitsi get access to my entire screen?
  • Why didn't Chrome ask me for permission to do so?
  • Can other websites do this too, perhaps even without me knowing?
Jaap Joris Vens
  • 605
  • 4
  • 13
  • 8
    "*How did Jitsi get access to my entire screen?*" You... clicked the "share your screen" button? – TylerH Jan 25 '21 at 15:26
  • 30
    @TylerH and if one chooses to block camera on Chrome, but still clicks the turn on camera on the webapp, do you expect the webapp to have access to your camera? I wouldn't because I instructed my browser not to give access to the camera by the webapp – gota Jan 25 '21 at 17:55
  • 2
    @gota As far as I know Chrome blocks camera requests that sites make. So I would expect the webapp to have access to the camera, because you subsequently explicitly granted access to the webapp by clicking 'turn on camera' after turning it off in Chrome settings. That should override the setting. I would except group policy to be required to block it at that level. – TylerH Jan 25 '21 at 18:29
  • 19
    @TylerH Consider that case where some Horrible Person (tm) creates a website where the button does not say "Turn on Camera" but instead says "See Cute Animals"... If you deny the site permission to your camera and then click the "See Cute Animals" button, should the website have permission to your camera or not? – user3067860 Jan 25 '21 at 22:01
  • 1
    @user3067860 You're forgetting the browser confirmation modal that appears and says "website is requesting access to turn on your camera" regardless of what the website labels the button as. If you click a button that says "See Cute Animals", get a browser prompt to allow the site access to your camera, and click "yes", then yes it should have permission to your camera. – TylerH Jan 25 '21 at 22:03
  • 8
    @TylerH You didn't say that.. you said if the user clicks the "Turn on Camera" button in the webapp then that should override the Chrome setting. In this case, Chrome has done a poor job of visually differentiating between the browser and the website, so the user clicks on a button expecting the behavior of a website (i.e. no power to change permissions) but instead the button has the power of the browser. (You laugh, but trying to absolutely differentiate between system content and non-system content has been a problem in Windows ever since "ctrl+alt+del to login".) – user3067860 Jan 25 '21 at 22:16
  • 3
    @TylerH So now finally back to OP's original question: How did the website get access to the screen, since simply clicking a button on a webpage shouldn't be enough, and OP did not see a browser confirmation popup? (The currently only answer to this question is very different than your first unhelpful comment.) – JiK Jan 25 '21 at 22:27
  • 2
    @JiK Have you read the answer and OP's comment? They clicked a button on the webpage *and clicked allow on a confirmation modal presented by the browser*. – TylerH Jan 25 '21 at 23:00
  • 3
    @TylerH Yes, I have. That's my point. So instead of writing an unhelpful half-answer as a comment, you could have written that as an answer. The whole discussion here is because your first comment looked like an answer but did not actually answer the question. – JiK Jan 25 '21 at 23:06
  • 1
    Am I missing something obvious? What does sharing the contents of the screen (the output of the video card) have to do with allowing control of the _camera_? Are you using a mirror in front of the camera to show what's on the screen? – FreeMan Jan 26 '21 at 13:27
  • 1
    I believe the camera was just used as an example in the above discussion. The point is that after apparently blocking all permissions, the website should not have access to anything. – Jaap Joris Vens Jan 26 '21 at 13:42
  • @JaapJorisVens It seems to me that "everything" wasn't blocked. At least, my innocent reading indicates that only camera & microphone were blocked. You're satisfied with a given answer, so I won't further stir the pot, I was just trying to clarify. – FreeMan Jan 27 '21 at 17:07
  • You're right, it wasn't. I have no idea why my question got as many upvotes as it did. I simply made an honest mistake, that is all. There is no security issue or permission error here. – Jaap Joris Vens Jan 27 '21 at 18:59

1 Answers1

123

Either way, the user agent responds by presenting a user interface that prompts the user to choose the screen area to share. Both of these implementations of startCapture() return the MediaStream containing the captured display imagery.

Taken from MDN description of screen share API

When you press the screen share button, the browser shows you a list of windows, screens and so forth that you can share. By selecting what to share on that screen, you grant permission. In other words the selection and giving permission is a single step process.

vidarlo
  • 12,850
  • 2
  • 35
  • 47
  • 11
    Thanks. I never realized it was a "real" popup instead of one of those "model" popups that asked me which screen to share. That makes sense. – Jaap Joris Vens Jan 24 '21 at 11:49
  • 7
    Glad to be able to clear things up :) To answer this, I basically googled 'screen share browser api', which lead me to MDN as the top hit - which explained the flow. – vidarlo Jan 24 '21 at 12:42
  • 43
    Depending on the OS, you would also first have to give the browser permission to capture the screen at least once. – Jörg W Mittag Jan 24 '21 at 19:26
  • 8
    In this case the popup displays the contents of your windows and screens as part of showing what you would want to share. If it were a 'fake popup', wouldn't it already have all the access it needs to display those? – Jason Goemaat Jan 26 '21 at 04:45
  • 3
    @JaapJorisVens The correct term for such a dialogue is "modal dialog", with an *a* ;) – Polygnome Jan 26 '21 at 13:34
  • 1
    @Polygnome thanks, I knew that, it's just too late to edit my comment... – Jaap Joris Vens Jan 26 '21 at 13:38