Re: [mediacapture-viewport] getViewportScreenshot (younger sibling of getViewportMedia) (#2) from Gustavo via GitHub on 2025-07-14 (public-webrtc-logs@w3.org from July 2025)

From: Gustavo via GitHub <noreply@w3.org>
Date: Mon, 14 Jul 2025 12:03:07 +0000
To: public-webrtc-logs@w3.org
Message-ID: <issue_comment.created-3069229194-1752494585-noreply@w3.org>

> Workarounds such [dom-to-image](https://github.com/tsayen/dom-to-image) exist that don't need explicit permission for non-CORS content. If requiring user consent is deemed essential, then I think measures should also be taken to shut off what's already possible with those workarounds.

I suspect it's not possible to avoid what `dom-to-image` does. It's essentially just copying the HTML and rendering in Canvas. Even if it wasn't possible to render in Canvas directly in the browser, you could still send the HTML to a server and render it there. Even "worse", it's also not possible to avoid what tools like LogRocket and OpenReplay do. As long as JS have access to the DOM, developers can reconstruct what's visible on the screen. So I think asking the user to confirm every time wouldn't mean a lot in terms of security of privacy. It would just make this feature less useful. Particularly, I would keep using a workaround to avoid the friction.

-- 
GitHub Notification of comment by gustavopch
Please view or discuss this issue at https://github.com/w3c/mediacapture-viewport/issues/2#issuecomment-3069229194 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 14 July 2025 12:03:08 UTC