I wonder if an attacker could leverage this to play twenty-questions with a user.
Video is typically so-and-so dimensions in the bottom right-hand corner. Clicking the video (I assume) pauses it. Pausing a video (I assume) can change the request pattern for what is being streamed. Most sites use a white background (let's say).
So an attacker who controls video content can stream a still image of some site or browser security "statement" with a picture of a button to click if the statement is untrue. If the user clicks the fake button they stop the video and signal to the attacker their response to the statement.
Not super useful given an arbitrary page behind the video. But what if the video's content is about, say, how to change settings on your bank site to get a better APR? I can imagine someone assuming that the video has turned into a small "quiz" from the bank. Maybe even a "click here to proceed" button to get them to unpause the video.
the entire concept reminds me too much of iframes, embedded flash and Java applets. i can see many security problems coming with this in the future. especially if they try to make it a real window that can jump tabs and stay pinned, which seems to be what most people here would really want and an obvious next feature.
think about click jacking, address bar spoofing, and similar mosaic style hijacking. that's not even getting into potential CORS and origin spoofing potential.
Video is typically so-and-so dimensions in the bottom right-hand corner. Clicking the video (I assume) pauses it. Pausing a video (I assume) can change the request pattern for what is being streamed. Most sites use a white background (let's say).
So an attacker who controls video content can stream a still image of some site or browser security "statement" with a picture of a button to click if the statement is untrue. If the user clicks the fake button they stop the video and signal to the attacker their response to the statement.
Not super useful given an arbitrary page behind the video. But what if the video's content is about, say, how to change settings on your bank site to get a better APR? I can imagine someone assuming that the video has turned into a small "quiz" from the bank. Maybe even a "click here to proceed" button to get them to unpause the video.