-
Notifications
You must be signed in to change notification settings - Fork 162
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Prevent Screenshots in PWAs #1154
Comments
This is entirely anecdotal feedback from a user perspective, but I find these kinds of restrictions on native mobile app platforms incredibly irritating and trivial to work around (e.g. by just taking a photograph of the screen). It's a bit like the flawed attempts to prevent right clicking on images on web pages to prevent them being downloaded - irritating for the user and trivial to work around for someone with a little knowledge of how the web works. The main use case I have seen for this (other than Netflix) is preventing screenshots inside banking apps, which is a genuine use case that shouldn't be taken away from users IMHO. It results in the silly situation of having to submit a photograph of a phone screen in an expense claim for example. I understand there's an argument that some companies may choose not to use the web platform due to the absence of this feature (which is available on native app platforms), but I really think they're just fighting against the laws of physics - in that generally speaking if you can see an image with your eyes then it can be captured by a camera. At best it increases user friction as a weak mitigation of a perceived threat to a corporate interest, but rarely benefits the end user (which is ultimately who a "user agent" should represent). Apart from that, I'm of the opinion that DRM should be kept away from the web platform as much as possible, since it's the antithesis of the open nature of the web. Just my two cents. |
Thanks for the feedback!
I agree from the UX point, one of the cons of the feature would be if this gets used way too much for the most irrelevant reasons. This is also why making web apps for Banking might be the right use case. I hope this gets done carefully with approach to move forward without hurting the users, as well as possible solutions for businesses.
I agree with this too, even DRM can be cracked through and one can still take pics, not to mention external devices just like a user's eyes. While this is true, the native app features are not going anywhere, and I would love to take an approach forward where web can implement this for the purpose of security. |
Follow-up question: If this was a feature of a web app manifest which is only applied when installing a web app, wouldn't that mean that the restriction doesn't apply when the web app is not installed (i.e. just loaded in a web browser). So rather than progressive enhancement (as per the PWA term you used), installing the app would take features away? |
@yashrajbharti Thank you for your suggesting this feature. I don't think the Web Application Manifest is the right place for this functionality. As @benfrancis pointed out, the feature would only work if the manifest is applied, i.e., if the app was opened from the home screen, dock, or taskbar. Moreover, limiting this functionality to specific routes might not be suitable, as some pages may need to only temporarily prevent screen recordings (e.g., while entering sensitive information like credit card details) without having to change the route. I suggest you submit this feature proposal to the Web Incubator Community Group (WICG) proposals repository. The WICG is the appropriate place to discuss potential web features like this one and determine whether such a capability should be adopted at all, as @benfrancis raised. As the request doesn't really align with the Web Application Manifest, I will close this issue. Thank you for your contribution and feel free to reach out if you have any other questions. |
I see, I shall try to understand how this feature could, if at all, help the web and propose a WICG proposal, thanks a lot for such a detailed answer, @christianliebel. |
Sorry for the late reply but for completeness, this was already raised on #661. Most of the same points were raised and discussed in detail. I agree that a separate WICG proposal is the appropriate forum for this as it would be to be a core web feature, not a manifest feature. However, I also don't think it's practical and would face huge technical and philosophical hurdles. See my last comment on #661: if you can't guarantee this will prevent screenshots on all browsers then it would be worse than not having it at all because it would just annoy users without actually preventing any data leakage. |
I am starting to see it leading to a lot of tech challenges, and am rather convinced to not have it implemented (its important to consider every reason on why it will fail, and there seems to be enough of it). Thanks a lot for pointing out @mgiuca! |
(There's a Fugu API request for this feature in https://issues.chromium.org/issues/41461179 with some more background.) |
Abstract
This proposal explores adding a feature to the Web Manifest that would allow developers to prevent screenshots of specific PWA screens. The functionality aligns with native app behaviors like Google Pay disabling screenshots on payment pages or WhatsApp restricting profile page captures. While the implementation for the web has complexities (e.g., bypassing DRM on Mac by disabling CSS hardware acceleration), PWAs can leverage secure APIs to emulate native app security.
Background and Motivation
Native apps commonly use features like Android's
FLAG_SECURE
or DRM to protect sensitive information from being screenshotted. Implementing similar behavior for PWAs would provide a more secure and privacy-conscious user experience, especially for financial transactions, private messages, or sensitive media.Proposed Solution
"screenshot-protection": ["page1", "page2"]
.FLAG_SECURE
) to implement this functionality.Challenges and Scope
Cross-platform Differences:
While mobile platforms like Android support APIs for screenshot prevention, desktop platforms (e.g., macOS) present challenges due to the potential for bypassing using developer tools or hardware configurations.
Web DRM Complexity:
Implementing DRM for web-based applications has historically been difficult and may require additional considerations for PWAs.
Developer and User Expectations:
Balancing security with usability is critical to avoid over-restrictive or intrusive behavior.
Future Considerations
References
The text was updated successfully, but these errors were encountered: