docs(security): record measured WDA_EXCLUDEFROMCAPTURE behavior + capture-vs-viewer framing

Tested on .173: a WDA_EXCLUDEFROMCAPTURE window (affinity readback 0x11,
confirmed active) is pixel-identically visible in the punktfunk/1 stream
across no-flag / flag-set / flag-cleared phases — the flag makes no
difference to a present-tap capture. Replace the "untested, treat as
expected" note in the IDD-push residual list with the measured result,
and correct the framing: WDA visibility matches what a person at the
screen sees (it exceeds an ordinary capture tool, not the physical
viewer).

Add the matching public-facing paragraph to the security page covering
both asymmetries — WDA windows appear (same as a physical viewer), DRM
video is blanked (less than a physical viewer) — tied back to the page's
"a client sees what someone at the machine sees" model.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
2026-07-04 11:16:18 +00:00
parent 90c2d8b3a0
commit 8b37badae4
2 changed files with 18 additions and 2 deletions
+8 -2
View File
@@ -136,8 +136,14 @@ reason "admin/SYSTEM = total" stays on the residual list below.
boundary against admin. The host↔driver channel has no mutual authentication beyond the `GET_INFO`
version handshake + the `verify_is_wudfhost` image check.
* **`WDA_EXCLUDEFROMCAPTURE` windows are visible.** IDD-push taps the *present* side, not the
*capture* side, so windows that exclude themselves from capture still appear in the stream — true
of every virtual-display streaming stack. Untested on our lab box; treat as expected behavior.
*capture* side, so windows that exclude themselves from capture still appear in the stream. This is
the same exposure a person looking at the physical screen has (the flag hides a window from capture
APIs, not from the display), so it fits inside the "a client sees what someone at the screen sees"
model rather than exceeding it; what it exceeds is an ordinary screen-*capture* tool (OBS/WGC/DDA),
which honors the flag. **Measured, not assumed (2026-07-04, .173):** a full-screen test window was
streamed through three 8 s phases — no flag / `WDA_EXCLUDEFROMCAPTURE` set (affinity readback `0x11`,
confirmed active) / flag cleared — and the window was pixel-identically visible in the decoded
punktfunk/1 stream in all three. The flag made no difference to the stream.
* **DRM/HDCP:** protected content is blanked by DWM at composition, and HDCP is a monitor↔GPU
handshake an indirect display cannot satisfy — neither is bypassed by this path.
* IDD-push is currently the **sole Windows capture path** (DDA and the WGC relay were removed). An