[EyeDropper] Restrict API access to content area

[krgovind]

[Writing on behalf of Chrome Security and Privacy teams. CC\ @camillelamy ]

The explainer states this as a goal:

Provide access to the color values of one or more user-selected pixels, including pixels rendered by different origins, or outside of the browser.

However, it is preferable to restrict API access only to the page content area only. Access to the browser window/controls area, or area outside of the browser could make clickjacking attacks possible; and potentially reveal fingerprintable information about the user (e.g. OS preferences).

[BoCupp-Microsoft]

@krgovind, we prefer not to restrict it to the page content area. This API competes with system color dialogs which can select any pixel on the screen. Some browsers use those system color dialogs today for input[type=color] elements. Does this API introduce a new threat, and if so, can you expand on what makes it more vulnerable?

Also, in case you didn't see it, we plan to gate entry into EyeDropper mode with user activation and require that the user explicitly select a color while in EyeDropper mode (for example by clicking the mouse button) before any information is sent back to the web page. More on this in this section of the explainer.

[tomayac]

@krgovind, we prefer not to restrict it to the page content area. This API competes with system color dialogs which can select any pixel on the screen. Some browsers use those system color dialogs today for input[type=color] elements. Does this API introduce a new threat, and if so, can you expand on what makes it more vulnerable?

+1, as a potential user of this feature grabbing the color from somewhere out of the current tab (for example, from a vector image I'm editing in a different app) is a key usage scenario.

[BoCupp-Microsoft]

@krgovind I just noticed that @ericlaw1979 commented here with a potential attack that I think illustrates your concern. I suggested these mitigations. Let me know if they would address your concerns.

Thank you!