Re: [w3c/manifest] Forbid browser to take screenshots (#661) from Matt Giuca on 2018-03-19 (public-webapps-github@w3.org from March 2018)

From: Matt Giuca <notifications@github.com>
Date: Sun, 18 Mar 2018 19:41:16 -0700
To: w3c/manifest <manifest@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/manifest/issues/661/374085208@github.com>

AIUI, there are two use cases for this:

1. Snapchat, etc, protecting "secure messages" that are supposed to be deleted, from being screenshotted by the recipient.
2. Banking and other sensitive-content sites, preventing malicious apps from secretly screenshotting the user's information displayed on the site.

If the browser allows the user to override the API, then it defeats the use case 1, which is protecting the *sender* from having their information stolen by the *receiver* (who is our user). Satisfying that use case requires much stricter DRM controls to prevent the user from circumventing it. (Perhaps you literally can use EME for this?)

Use case 2 is protecting the *user* from their *system*. I'd say if you have malicious native software screenshotting your apps, then you have bigger problems to worry about (and a browser API to prevent screenshotting is unlikely to help).

> For b), apps get around it by detecting that a screenshot has been taken and informing the sender.

That's also necessarily a best-effort thing. You won't always be able to tell if a screenshot was taken; e.g., on Windows I could just have screen recording software running and I doubt the browser can reliably detect that.

> What's wrong with best-effort? You can do a lot of things on desktop that you can't do on mobile, and vice-versa.

Because most APIs that are best-effort simply mean a feature isn't working sometimes. If this API fails then you have information leakage (and that's worse than not having the API at all, because then you haven't made any false promises).

> a user can forbid access to the webcam or microphone, so why not allow them to do the same with screenshots on Android

That's different. The cam/mic setting is protecting *the system* from *the site*. The promise of the web is that sites you visit will not be able to harm or read data from your system, so this is well within the scope of web APIs. This feature request is about protecting *the site* from *the system*. It is generally outside of the web's scope from doing so, since native apps generally have unlimited powers and we can't make any guarantee that web apps will be safe from rogue native apps.

> Why is Android allowing to do so then ? Are they wrong too ?

I can't speak for the Android platform.

> outside of the fact that this is trivally worked around and completely security theater, the manifest is not a great place for this concept to live.

I agree; this should be raised on some other spec. It would presumably be an API, not a manifest flag.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/manifest/issues/661#issuecomment-374085208

Received on Monday, 19 March 2018 02:41:46 UTC