Screen-sharing is a powerful new web feature that lets you share what’s on your computer screen with a web site. This can be extremely useful. Imagine co-browsing with a friend, or having a service technician remotely diagnose a problem on your computer. But at the same time, it carries significant security and privacy risks.
Certain windows are riskier to share than others. Firefox will warn you not to share browser windows, or even your entire screen when a browser window is present on it, unless you trust the web site. The reasons for this are technical, but boil down to this:
When sharing a regular window, a web site may passively record what you’re doing, which is bad enough: It can catch glimpses of things you didn’t intend to share, say if you scroll quickly through a document.
But web sites can make browser windows dance, popping up private information from other web sites you never intended to share. It can do this quickly and without your involvement. This becomes an active threat when you share your screen with a malicious site that is visible on that same screen. That site may now effectively browse as you, using any logged in credentials you may have in place, to target and steal your private data.
Now that we have your attention, we can explain the extent of this risk, and how it came to be.
Sharing a browser window does an end-run around the same-origin policy.
Web sites have always been able to make your web browser dance with content from lots of different places. Ads work this way in fact. But web sites normally can’t see the results of such cross-origin output themselves. That is: They can’t read back and interpret the pixels from other sites. These pixels were shown only on your screen, and that makes it safe. The technical term for this is the same-origin policy. It’s an important web security mechanism that exists in all browsers.
However, once you share a browser window with a site, you’re effectively giving that site a mirror. That site may now potentially see the results of other sites it summons, things it shouldn’t see. You no longer have that important web security mechanism in place.
For example, take a user who doesn’t log out of their banking site before closing the tab. Say the user shares their screen with a malicious web site shortly after. That site could now launch deep-link account information URLs to popular banks in an iframe. Because the user is technically still logged into their bank, the malicious site may succeed in displaying personal account information. The site would need to flash this output on the screen only for a split second to capture it. A clever site may even wait to do so until the user is not looking or steps away (by checking for inactivity, or looking at the web camera, if shared).
You run these risks only when a browser window is being shared, or when you share your whole screen with a browser window on it, so, again, only share these two things with sites you trust. Safe browsing!