Chrome extension permission · desktopCapture · tabCapture · getDisplayMedia context

Chrome Extension Screen Capture: desktopCapture, tabCapture & Monitor Risk

Risk: Critical
Summarize with ChatGPT

The Chrome extension screen capture permission family enables add-ons to obtain media streams of your tabs, application windows, or entire display—depending on API surface, user prompts, and OS policies. Anything visible on screen can be encoded and forwarded: tokens in authenticator apps, Slack threads, terminal output, or confidential PDFs you opened for “just a second.”

Video calls and vetted remote-support suites are expected users of capture. Unrelated extensions that request it are a critical red flag—especially when bundled with broad host access, arbitrary network egress, or native messaging bridges to desktop binaries.

Quick summary: extension screen capture in 30 seconds

  • Chrome extension screen capture covers APIs such as desktopCapture and tabCapture: video (and sometimes audio) streams of tabs, windows, or full screens—whatever pixels you display while sharing.
  • One frame can expose MFA codes, salary spreadsheets, private chats, customer PII, or recovery QR codes. Persistent or background capture is effectively shoulder-surfing at scale.
  • Legitimate video conferencing, pair-programming, and IT screen-share tools need it; games, wallpapers, and vague optimizers do not.
  • Exfiltration usually pairs capture with network access or native messaging—read the full manifest, not the capture line alone.

Real-world lens: Zoom-grade trust vs silent recorders

Users understand screen share inside a meeting they started. They do not expect a coupon extension to ever touch the capture APIs—same pixels, opposite trust story.

Exfiltration paths almost always include network access or native messaging. Pairing capture with read-all-sites rights lets attackers script lures before the share dialog even appears—treat the bundle as hostile until proven otherwise.

What screen capture enables (streams, recording & export)

  • Trigger picker flows (desktopCapture) so users choose a surface to share, then pipe MediaStream objects into WebRTC peers, recorders, or image encoders.
  • Capture specific tabs via tabCapture where supported—useful for Loom-style tools but still full DOM pixels for that tab.
  • Combine with scripting, unlimited network, or native hosts to archive frames, OCR text, or stream live video off-device without a second obvious UI.

Abuse scenarios: MFA leaks, insider exfil & rushed prompts

  • Credential and MFA leakage from authenticator apps, SMS panels, or backup code screens shown beside the browser.
  • Covert recording of regulated data—HIPAA charts, legal discovery, unreleased product screenshots—violating policy even if “only” pixels leave the machine.
  • Social engineering: rushed users approve share dialogs without reading which window is selected, enabling full-desktop grabs during a single slip.

Official docs: desktopCapture, tabCapture & web screen-capture model

Chromium extension capture APIs & install warnings

desktopCapture and tabCapture references enumerate entry points, stream types, and constraints—diff them each Chrome release if you ship or audit capture tooling.Sources: Chrome — desktopCapture API · Chrome — tabCapture API

Declare-permissions and permission-warnings describe what users see before install; reconcile those strings with runtime share prompts.Sources: Chrome — Declare permissions · Chrome — Permission warnings

Web platform primitives & insider-threat framing

MDN documents getDisplayMedia for web pages; W3C Screen Capture explains consent and surface-selection concepts that inform browser UX across extensions and sites.Sources: MDN — getDisplayMedia() · W3C — Screen Capture

NIST’s insider-threat materials remind enterprises that screen recording is a high-impact egress path—extensions belong in the same inventory as traditional DVR tools.Sources: NIST — Insider threat program

Practical tips: OS gates, session-only sharing & manifest audits

  • Grant capture only to named tools you actively use for conferencing or support; deny every other category by default.
  • Layer OS screen-recording permissions (macOS, Windows 11) so a second gate exists beyond Chrome’s prompt.
  • Prefer per-session sharing inside trusted apps over always-installed capture extensions; remove dormant recorders.
  • Audit manifests for capture plus network or native messaging; unexplained combos warrant immediate uninstall.

Last reviewed: March 2026. Educational overview only—not legal advice; verify API availability against current Chrome documentation.

FAQ: Chrome extension screen capture & sharing APIs

Short answers for common searches—use with the risk and mitigation sections above for full context.

What does Chrome extension screen or tab capture permission enable?

It allows APIs such as desktopCapture or tabCapture to obtain video streams of user-selected (or policy-allowed) surfaces—tabs, windows, or screens—so the extension can record, transcode, or transmit what you see.

How is desktopCapture different from website getDisplayMedia?

Both revolve around screen-sharing primitives, but extensions use privileged extension APIs and manifests; the trust boundary and pairing with other extension powers differ from a single-site prompt.

When is screen capture permission legitimate?

Video conferencing, collaboration, education, or IT remote support where you knowingly start sharing and trust the vendor’s security story.

Can capture leak data even when websites block copy/paste?

Yes—pixels do not respect copy restrictions. Anything rendered on a shared surface can be encoded, including QR codes, TOTP secrets, or confidential documents.

What are red flags in the manifest?

Capture bundled with unrelated categories, unknown publishers, or combinations like unlimited network plus native messaging without a documented need.

Further reading: capture APIs & related eSafe guides

Cross-check every Chrome extension permission next to capture—especially all sites, native messaging, and network.

Related extension guides

These topics often show up together in real extensions and abuse reporting—reading them as a set makes it easier to judge combined risk.

Browse all extension power guides

Audit what is installed

Pair least-privilege installs with a periodic review—especially after any extension update.

Add to Chrome