Meeting minutes
<jesup> is there a zoom session for element capture?
<jesup> the link in the agenda led to an empty room
<seukyoon-kang> thank you!
eladlon: Screenshot of me and Mark, docs can embed a videoconferencing app
… One of them captures a portion of the screen and transmits that remotely
… A couple of options, transfer stream to the video conferencing iframe
msw: In screen capture, for training videos, web app might capture a portion of the content area
<jib> Sorry I joined late. Is there a link to the slides?
ericc: Would occluded portion of the elements being captured? Danger of the user exposing information they cannot see
eladalon: This can happen today, when users type input it can show up in the capture.
<?>: In iOS, we have a mitigation that camera capture requires a preview
<?>: The concern is not malicious sites, but users knowing what they are sharing
<jib>: Built on getDisplayMedia but also getViewportMedia, very different security properties. Which one?
eladalon: Requires for getViewportMedia, requirements were difficult to comply with
jib: Non-compliance not a good argument
eladalon: See if we can relax from getViewportMedia, but if we can't, then stick with it.
youenn: Trying to understand, is the interest to reduce requirements from gVM, or to fix the occlusion issue
eladalon: Too early to stay, may not be possible, but it is an interesting topic to drive adoption
… Two requirements for gVM: cross-origin isolation, and opt-in from document-policy
… Sounds like we could use it for element-level capture to reduce requirements
… Document policy is sufficient, if others have ideas, lets discuss
arthursonzogni: Seems sufficient from requirements
… Include iframes that does not include policy?
iclelland_: With document-policy, I consent to be captured by this origin. All embedded frames also must consent or we don't allow it.
arthursonzogni: Is there a race when creating iframes?
iclelland_: We have a mode, similar to CSP-embedded. I require this policy on all frames I embed, if they don't comply, they don't load.
… Could be useful here, have to be careful with dynamic content.
jib: Security requirements should be the same, iframe or div could be an element. To me the security requirements are the same
… Requires cross-origin isolation, which prevents loading non-consenting documents
herre: Could be useful to talk about use cases enabled by more relaxed permissions.
… Some small part could be captured without the entire document.
youenn: Iframe could impact size of 3p content. getVM seems like the right baseline. Figure out if we need to decrease security.
… Always a hole.
herre: Worth trying.
eladalon: Find a way to isolate, to prevent data leakage. May need CSS to isolate rendering. Worth looking for it.
… You've created content and you want to show ads. Ads doesn't want to be captured.
youenn: These are two different projects. Two different specs. If you want to have it soon, do the security later.
jib: Maybe an unpopular comment. Self-capture, at some point, creating a new render target for HTML.
… We've backed in to a powerful feature. If an HTML app needs to capture video, then it's worth questioning whether the app can do it itself.
eladalon: We have web developers asking for it. Google docs and meet, non-Google developers asking for it.
eladalon: Why shouldn't we do this? If we separate/stage those discussions, how do we make it accessible to more users.
… Why would we not want to provide this API.
jib: Can these applications do it with canvas? If element capture requires a permission, would it meet the use case?
youenn: Occluded content, there is a big difference with getViewportMedia. Will the user understand the difference between element capture and gVM?
eladalon: For most applications, there is no difference between gVM and element capture. For malicious applications, the same issue.
youenn: The same prompt, but the user mitigation is different? From the user's point of view, inconsistent.
youenn: If you scroll down, understood that it is not shared. In fact it is not the same thing.
jib: With this new API, there is no "flashing."
eladalon: You broke the page apart, could piece them back together. Machine could never see that.
fluffy: Surprising that what is being captured is different from what the user is seeing.
fluffy: Prompts don't solve.
eladalon: Danger is limited, content is what origin already knows
mfoltzgoogle: These issues have already existed with capture from canvas and capture from video.
eladalon: Link purpling needs to stop when you start capture. But I don't see it as unique to element capture.
youenn: getVM is more like screen share, this is different, rendering in the background.
eladalon: Some issues are unique, some are shared.
jib: These concerns are elevated, with occlusion. We already have offscreen canvas. If I see things are flashing on my screen, if it's occluded there are no signs.
eladalon: Assume that the user won't notice the flashing if it's a single pixel.
eladalon: We should mitigate concerns and make them happen. Some tricks that the web page might do, we can do mitigations.
youenn: If we can't see the content, then no mitigations.
… With occluded content, I don't see what we can do.
youenn: Iframe that is fully isolated?
iclelland_: Fenced frames
eladalon: Could be that size leaks information.
… about embedded content.
ada: Chair of IWMG. One of the most requested features, is an API to view DOM scenes.
… Problem trying to solve for 5 years.
… Either too dangerous, or restrictions made it unusable.
… Play youtube in WebXR.
… Might have some related places where we encountered problems.
… DOM layout that is not readable by the user.
… Adding on the ability to a fake interaction on the projected view, redirect back to the original DOM without synthesized clicks?
eladalon: Seems orthogonal to me.
jib: Out of scope for screen capture spec. End up tripping up malicious use cases, scams.
yoenn: Do you need user specific rendering? Being rendered based on user specific information.
… Any browser instance would produce the same information.
eladalon: Mostly personalized content.
youenn: Maybe you want an HTML to video converter that doesn't depend on the user.
eladalon: Could turn off link purpling, autofill, etc. for the user, accessibility settings
youenn: Accessibility should be protected
herre: Users need informed consent.
jib: Browser to steer users towards better choices than sharing the full screen.
eladalon: Google feedback tool uses gDM, we could do better.
jib: Working on better choices, windows, tabs. Not sure this is moving in the right direction. Push back on the use case.
… Better ways to solve overlapping menus. Smart cropping to an element. Move the menu to the side.
… You can say crop to this element, and crop to coordinates, if you don't want to overlap.
eladalon: Give applications a consistent way to remove private content, like chat notifications
… Giving the proper weights to the issues. The occluding content that is private, more of a problem than getVM
fluffy: Can you turn off notifications in browser apps, we are talking about in-content notifications.
eladalon: ChromeOS does that
ericc: ScreenCaptureKit does that.
eladalon: We deal with tradeoffs, current state is not great. We could be allowing better applications to be built. The perfect be the enemy of the better.
rrsagent generate minutes