Skip to content

Proposal: Add initial confirmation, even for noninteractive screenshots

Problem

With the current implementation for the screenshot portal, applications can request screenshots to be non-interactive (i.e. suppress the confirmation dialog).

While this increases user-friendliness for applications whose sole purpose is to be a screenshot utility (e.g. Flameshot), and where manual confirmation for every screenshot may be undesirable, it also poses a security risk, as malicious applications (even while sandboxed using flatpak) can request to take a screenshot non-interactively, and the user will be none the wiser.

Therefore, I propose to add an initial confirmation mechanism, even for non-interactive screenshots, so the user is aware of what is happening, and doesn't have consent taken away from them.

Proposed Solution

For the first non-interactive screenshot request per application, display a confirmation dialog with the following options, asking the user:

Application [APP_NAME] wants to take a screenshot

  • Allow temporarily (allows the app to take a screenshot this one time, will ask for confirmation again if it wants to take another)
  • Allow permanently (allows the app to take a screenshot this time, as well as allow all future requests* non-interactively)
  • Deny (denies the app to take a screenshot this time, as well as all future requests* non-interactively)

Question: What do we mean by "all future requests"? Answer: One of the following:

  1. All future requests in this session, i.e. preferences reset after PC restart or log in -> log out
  2. All future requests until the end of time, i.e. preferences are saved in a config file. NOTE: With this approach we must keep in mind that certain applications could potentially write to config files and give themselves permission!

NOTE: The screenshot should be taken before the confirmation dialog appears, but it should only be forwarded to the requesting app upon confirmation. This is to ensure we don't break apps' expectations regarding the timing of the screenshot.

Alternative Solution

If an initial confirmation dialog is always undesirable, alternatively we can consider adding a notification popup that shows up the first time (per session) an application takes a non-interactive screenshot. This way, the user can track down and stop / uninstall the application if necessary.

Note however that this means at least 1 screenshot may be taken without the user's consent.