This attack/feature hinges on the

config.prejoinConfig.enabled=false

config (which implicitly decides weather or not a prejoin dialog is shown)

but this makes me wonder

1. why can you set that config in a URL? Allowing users to set it for them-self seems fine, but allowing rooms or URL to use it seems ... off.

2. how many other sites have this attack surface (e.g. MS Teams) just more obscure

3. actually the moment the attacker controls JS probably *all* other video conference systems have the feature, through potentially needing a lot of additional work. In which case maybe just being straightforward and open about it is fine? But the cost of such an attack is just a very bit too low compared to other conference systems.