#625: API for display-capturing the current tab

Visit on Github.

Opened Apr 23, 2021

Ya ya yawm TAG!

I'm requesting a TAG review of getCurrentBrowsingContextMedia.

Overview

Consider the existing navigator.mediaDevices.getDisplayMedia(). It allows a user unlimited choice of sources - any monitor, window or tabs.

We’re in the process of standardizing a new API - getViewportMedia - that will allow web-applications to present a simple confirmation-only prompt to the user. The security requirements of this API are under active discussion, but consensus is forming that both cross-origin isolation and a new opt-in header will be required.

Not all applications can accept these requirements - at least not in the short-term. However, by forcing such applications to use getDisplayMedia, the user is pushed towards the riskier option of sharing the entire monitor. Why is that the riskier option? Because at the moment capture starts, the entire current monitor includes the current tab. Note that the moment capture starts is sufficient for almost any attack, as all attacks we have thus far considered could be carried out using a single frame.

A hybrid API is deemed necessary in order to offer some of the benefits of getViewportMedia without its elevated security requirements. This hybrid API will allow the application to signal its preference for capturing the current tab by way of a new dictionary member parameter for getDisplayMedia. Namely, we will extend DisplayMediaStreamConstraints by adding another dictionary member called preferCurrentTab with a default value of false. When getDisplayMedia is invoked with preferCurrentTab=true, the browser will offer the current tab as the first option to the user, but will still offer unlimited choice of capture sources (see image below).

The unlimited choice of sources makes this new API compliant with the requirements of getDisplayMedia. Since it complies with the requirements of getDisplayMedia, the security requirements placed on getDisplayMedia are sufficient for this new hybrid API.

Screen Shot 2021-06-03 at 23 40 58

Links and Details

Further details:

  • I have reviewed the TAG's Web Platform Design Principles
  • Relevant time constraints or deadlines: We aim to ship in Chrome m92 or m93.
  • The group where the work on this specification is currently being done: WebRTC WG works on getViewportMedia, but is not interested in this hybrid API.
  • The group where standardization of this work is intended to be done (if current group is a community group or other incubation venue): WICG (I will link once this is in the WICG.)
  • Major unresolved issues with or opposition to this specification:
    • Mozilla and Apple have voiced the opinion that getViewportMedia should be sufficient, and were not interested in "weakened" version.
    • Our position, on the contrary, is that this hybrid is necessary and does not degrade security when compared to getDisplayMedia.
  • This work is being funded by: Google

You should also know that...

A word of caution over a source of potential confusion:

  • The name getViewportMedia is a later conclusion. Initially, that API was offered under the name getCurrentBrowsingContextMedia. Chrome has an active origin-trial for getCurrentBrowsingContextMedia which accomplishes the same thing as preferCurrentTab, but uses a new method instead of a new dictionary member. See the explainer.

We'd prefer the TAG provide feedback as (please delete all but the desired option): 💬 leave review feedback as a comment in this issue and @-notify @eladalon1983

Discussions

2021-05-31

Minutes

Ken: Still needs explainer

Dan: need to resolve is 625 a duplicate of 609?

Lea: understand it's not, but they're working together to consolidate them. Ken and I were in this call with Dom where he explained.

Ken: Dom said he wants to reopen a TAG review with updated materials, updated exlpainer and S&P. Don't need the TAG to pick. Wanted to determine whether either request was safe. That was two weeks ago.

Lea: still pending external feedback? What about the other one?

Dan: 625, also 14 days ago Dom sent something. Multiple arguments going on with different people in these discussions. TAG feedback should be for them to sort it out..

Lea: not the TAG's job to consolidate

Dan: right, shouldn't be two issues open for us. But got pushback. Posting on both issues.

Yves: another option to close both and open another one if there is a dispute they want feedback on.

Lea: last resort to use us to resolve dispute

Hadley: encourage them to work together

Dan: we need more guidance to figure out what we should be reviewing

2021-09-Gethen

Minutes

Dan: recent comment lays out a position from Google ... we have to consider both of these issues in parallel. Elad is saying that the thing they're proposing in 625 is a temporary measure, maybe we should be saying that's great okay but why won't that then become the de facto thing that people use? The web is full of short term measures that became the long term unfortunate thing.

Sangwhan: a lot of people are using this feature without realising its Chrome only - it's not standardised

Dan: [shares tab using the API described in 625]

Sangwhan: a lot of people are using this - though it's only implemented in chrome. I think the trade off given the situation we're in is something we're going to have to live with.

Dan: Why don't we say we appreciate .. thank you for clarifying that #609 is the long term proposal, we will focus our efforts on reviewing #609. Can you provide a roadmap for how you see transitioning people from use of this API to what is described in 609 once the issues are resolved? Eg. would 609 be layered on top of 625? Based on that we could propose closed.

Dan: why is it called preferCurrentTab? comment left