[webrtc-nv-use-cases] Concern: Availability of getDisplayMedia() in file:// Secure Contexts (#131) from tmpmachine via GitHub on 2025-05-05 (public-webrtc@w3.org from May 2025)

From: tmpmachine via GitHub <sysbot+gh@w3.org>
Date: Mon, 05 May 2025 16:43:55 +0000
To: public-webrtc@w3.org
Message-ID: <issues.opened-3040215535-1746463432-sysbot+gh@w3.org>

tmpmachine has just created a new issue for https://github.com/w3c/webrtc-nv-use-cases:

== Concern: Availability of getDisplayMedia() in file:// Secure Contexts ==
If this is not the right spec for the issue, please point me to the right spec. Thanks!

---

API Affected: navigator.mediaDevices.getDisplayMedia()

Allowing screen capture initiated from a local `file://` page presents a unique risk compared to capture initiated from a remote network origin (e.g., HTTPS).

`file://` URLs have the capability to:
- Embed content directly from the local file system.
- Embed the directory browser

This means if the user open a malicious HTML app directly in the browser (`file://` URL) and use the API, the app can pixel steal the content of local files.

Given the unique capabilities and potential risk of local file access, a discussion is needed against screen capture initiated from local files, i.e. whether or not the current specification should continue to permit `getDisplayMedia()` calls from `file://` contexts.

Please view or discuss this issue at https://github.com/w3c/webrtc-nv-use-cases/issues/131 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 5 May 2025 16:43:55 UTC