Deny captureStream for cross-origin media by default

[shhnjk]

Per spec, it is allowed to captureStream() cross-origin media contents. But I don't see much benefit from it. Instead, there are many risks. Media related APIs are growing and it's complicated for browsers to allow captureStream of cross-origin media yet deny leaking information. Stream can be passed from video <-> canvas, or to WebRTC peer, etc.

Chrome denies to captureStream for cross-origin media contents today. Where Firefox allows it.
I think we should stick to Chrome's behavior and change the spec.

Test
https://test.shhnjk.com/whycapture.html

[shhnjk]

CC: @mikewest @annevk @dveditz

[annevk]

As long as the <canvas> is tainted how is this different from drawImage() doing a similar thing?

[shhnjk]

This is media stream, so there's no requirement of canvas. It is similar to drawImage, but the spec doesn't have nice concept like "origin-clean flag". So any new media API that can retrieve data from stream (or streamTrack, and more) could potentially leak the data.

[shhnjk]

So in that sense, I don't have much problem with HTMLCanvasElement.captureStream() because UA can check "origin clean flag" of canvas. But I'm worried about HTMLMediaElement.captureStream().

[guest271314]

What are the risks with capturing cross-origin media content?

[shhnjk]

Potential of stealing cross-origin media file. But seems like there are more APIs that has ability to do it. So closing the issue.