docs(security): record measured WDA_EXCLUDEFROMCAPTURE behavior + capture-vs-viewer framing
Tested on .173: a WDA_EXCLUDEFROMCAPTURE window (affinity readback 0x11, confirmed active) is pixel-identically visible in the punktfunk/1 stream across no-flag / flag-set / flag-cleared phases — the flag makes no difference to a present-tap capture. Replace the "untested, treat as expected" note in the IDD-push residual list with the measured result, and correct the framing: WDA visibility matches what a person at the screen sees (it exceeds an ordinary capture tool, not the physical viewer). Add the matching public-facing paragraph to the security page covering both asymmetries — WDA windows appear (same as a physical viewer), DRM video is blanked (less than a physical viewer) — tied back to the page's "a client sees what someone at the machine sees" model. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
@@ -136,8 +136,14 @@ reason "admin/SYSTEM = total" stays on the residual list below.
|
||||
boundary against admin. The host↔driver channel has no mutual authentication beyond the `GET_INFO`
|
||||
version handshake + the `verify_is_wudfhost` image check.
|
||||
* **`WDA_EXCLUDEFROMCAPTURE` windows are visible.** IDD-push taps the *present* side, not the
|
||||
*capture* side, so windows that exclude themselves from capture still appear in the stream — true
|
||||
of every virtual-display streaming stack. Untested on our lab box; treat as expected behavior.
|
||||
*capture* side, so windows that exclude themselves from capture still appear in the stream. This is
|
||||
the same exposure a person looking at the physical screen has (the flag hides a window from capture
|
||||
APIs, not from the display), so it fits inside the "a client sees what someone at the screen sees"
|
||||
model rather than exceeding it; what it exceeds is an ordinary screen-*capture* tool (OBS/WGC/DDA),
|
||||
which honors the flag. **Measured, not assumed (2026-07-04, .173):** a full-screen test window was
|
||||
streamed through three 8 s phases — no flag / `WDA_EXCLUDEFROMCAPTURE` set (affinity readback `0x11`,
|
||||
confirmed active) / flag cleared — and the window was pixel-identically visible in the decoded
|
||||
punktfunk/1 stream in all three. The flag made no difference to the stream.
|
||||
* **DRM/HDCP:** protected content is blanked by DWM at composition, and HDCP is a monitor↔GPU
|
||||
handshake an indirect display cannot satisfy — neither is bypassed by this path.
|
||||
* IDD-push is currently the **sole Windows capture path** (DDA and the WGC relay were removed). An
|
||||
|
||||
Reference in New Issue
Block a user