cross-origin or isolated content

[martinthomson]

Can this be used for content that would not otherwise be readable to the origin? The spec doesn't seem to prevent that.

Given that an element might be occluded or off-screen, that makes this very challenging ...even if access to this capability is gated behind consent prompts. That also makes this very different from asking for fullscreen/browser/tab capture.

I would prefer that this not be possible for elements that contain cross-origin content. Or, that the mechanism used for canvas (tainting) be used to cause content to be inaccessible if content is not readable by the origin.

[eladalon1983]

This API is exposed on MediaStreamTrack. This means that an origin invoking this API already has access to all of the pixels in the current tab, so all that content is already readable.

One might have objected that occlusions contradict the prior claim, as the pixels Element Capture gives access to are different from those of the whole tab, and are not a strict subset. I believe that such an objection would be incorrect. The origin that mints the RestrictionTarget token and posts it to the capturer, effectively declares itself to be willing to collaborate with the capturer. It could have just removed occlusions and given the capturer access to them, if it so wished.