If this is not the right spec for the issue, please point me to the right spec. Thanks!

API Affected: navigator.mediaDevices.getDisplayMedia()

Allowing screen capture initiated from a local file:// page presents a unique risk compared to capture initiated from a remote network origin (e.g., HTTPS).

file:// URLs have the capability to:

• Embed content directly from the local file system.
• Embed the directory browser

This means if the user open a malicious HTML app directly in the browser (file:// URL) and use the API, the app can pixel steal the content of local files.

Given the unique capabilities and potential risk of local file access, a discussion is needed against screen capture initiated from local files, i.e. whether or not the current specification should continue to permit getDisplayMedia() calls from file:// contexts.