Make enumerateDevices() more private ahead of getUserMedia() grant befind pref
Categories
(Core :: WebRTC: Audio/Video, enhancement, P2)
Tracking
()
People
(Reporter: jib, Assigned: jib)
References
(Depends on 1 open bug, Blocks 2 open bugs)
Details
Attachments
(12 files)
(deleted),
image/png
|
Details | |
(deleted),
text/x-phabricator-request
|
Details | |
(deleted),
text/x-phabricator-request
|
Details | |
(deleted),
text/x-phabricator-request
|
Details | |
(deleted),
text/x-phabricator-request
|
Details | |
(deleted),
text/x-phabricator-request
|
Details | |
(deleted),
text/x-phabricator-request
|
Details | |
(deleted),
text/x-phabricator-request
|
Details | |
(deleted),
text/x-phabricator-request
|
Details | |
(deleted),
text/x-phabricator-request
|
Details | |
(deleted),
text/x-phabricator-request
|
Details | |
(deleted),
text/x-phabricator-request
|
Details |
Firefox already has a "privacy.resistFingerprinting" pref (bug 1372073) to reduce the fingerprinting surface of enumerateDevices().
Unfortunately, it renders site-driven device selection impossible, even after getUserMedia() access has been granted, making it nonviable as default behavior, for web compat reasons.
However, time has revealed that most WebRTC web sites implement device selection menus only after initial gUM grant, often with previews. The lack of labels in Firefox this early compounds this. [1]
So there's room to explore making the privacy.resistFingerprinting behavior [3] the default to sites that have NEVER been granted getUserMedia permission by the user, i.e. "the drive-by web", and then flip to today's behavior the first time the end user grants access to a site.
This could be done web compatibly by simulating the user inserting any additional devices found to be present at that point, firing the devicechange event, and updating the device list etc.
I believe Safari is exploring similar behavior [2], modulo some differences on repeat visits.
[1] https://webrtc.github.io/samples/src/content/devices/input-output/
[2] https://github.com/w3c/mediacapture-main/issues/559
[3] One question is what to do on systems without both a camera and microphone.
privacy.resistFingerprinting invents the missing (dummy) devices in that case.
We could consider keeping that behavior, perhaps with a caveat that once a
site has attempted getUserMedia() and succeeded or gotten NotFoundError, we'd
remove the invented devices, simulating their removal. The reasoning is that
most fingerprinting libraries won't risk triggering an actual user prompt, and
the information has already been revealed at this point (through NotFoundError).
Comment 1•5 years ago
|
||
Can confirm that this is breaking device selection in riot.im with resistFingerprint on. There is no way to select any camera apart from the default one.
Assignee | ||
Updated•5 years ago
|
Assignee | ||
Comment 2•4 years ago
|
||
The spec has finally stabilized here and Google Chrome has implemented the more private Safari model. https://github.com/w3c/mediacapture-main/pull/632
We should as well. Up-prioritizing this work.
Assignee | ||
Comment 4•4 years ago
|
||
Note we risk taking a web compat hit here by adding this until crbug 1101860 is fixed.
Assignee | ||
Comment 5•4 years ago
|
||
For context: labels are now limited to active capture, persistent permission is insufficient.
Assignee | ||
Comment 6•4 years ago
|
||
Part of this work is to update devicechange
to fire less often to match the reduced enumerateDevices
exposure.
Sites like Discord appear to already assume devicechange
will only fire during active microphone use. The telltale sign this is firing when it shouldn't is "Device 2" since it doesn't have permission to show microphone labels.
Workaround: Discord could work around this Firefox bug by only showing the prompt if they're currently using a mic.
Updated•4 years ago
|
Assignee | ||
Comment 7•4 years ago
|
||
Assignee | ||
Comment 8•4 years ago
|
||
Depends on D100377
Updated•4 years ago
|
Updated•4 years ago
|
Updated•2 years ago
|
Updated•2 years ago
|
Assignee | ||
Comment 10•2 years ago
|
||
Depends on D100378
Updated•2 years ago
|
Assignee | ||
Comment 11•2 years ago
|
||
Depends on D154139
Assignee | ||
Comment 12•2 years ago
|
||
Depends on D154175
Assignee | ||
Comment 13•2 years ago
|
||
Depends on D154302
Assignee | ||
Comment 14•2 years ago
|
||
Depends on D154303
Assignee | ||
Comment 15•2 years ago
|
||
Depends on D155428
Assignee | ||
Comment 16•2 years ago
|
||
These patches would bring enumerateDevices() up to spec, and close the fingerprinting leak that some sites have been using to work around bug 1609427 comment 11, so we may need an urgent solution there.
Assignee | ||
Updated•2 years ago
|
Updated•1 year ago
|
Updated•1 year ago
|
Assignee | ||
Comment 17•1 year ago
|
||
Depends on D155430
Updated•1 year ago
|
Assignee | ||
Comment 18•1 year ago
|
||
Depends on D176925
Updated•1 year ago
|
Updated•1 year ago
|
Assignee | ||
Updated•1 year ago
|
Assignee | ||
Comment 19•1 year ago
|
||
This is landing behind pref for now.
Comment 20•1 year ago
|
||
Comment 22•1 year ago
|
||
Backed out for causing build bustages on MediaDevices.cpp.
-
Failure log
This also affected this hazard build
and there is this TV job that failed on the same push.
[task 2023-05-16T06:08:52.771Z] 06:08:52 INFO - gmake[4]: Entering directory '/builds/worker/workspace/obj-build/dom/media'
[task 2023-05-16T06:08:52.777Z] 06:08:52 INFO - /builds/worker/fetches/sccache/sccache /builds/worker/fetches/gcc/bin/g++ --sysroot /builds/worker/fetches/sysroot-x86_64-linux-gnu -std=gnu++17 -isystem /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/include/c++/7.5.0 -isystem /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/include/x86_64-linux-gnu/c++/7.5.0 -isystem /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/include/x86_64-linux-gnu -isystem /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/include -o Unified_cpp_dom_media2.o -c -I/builds/worker/workspace/obj-build/dist/stl_wrappers -I/builds/worker/workspace/obj-build/dist/system_wrappers -include /builds/worker/checkouts/gecko/config/gcc_hidden.h -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -fstack-protector-strong -DDEBUG=1 -DHAVE_UINT64_T -DWEBRTC_MOZILLA_BUILD -DRTC_ENABLE_VP9 -DWEBRTC_POSIX -DWEBRTC_BUILD_LIBEVENT -DWEBRTC_LINUX -DWEBRTC_USE_X11 -DWEBRTC_USE_PIPEWIRE -DMOZILLA_INTERNAL_API -DOS_POSIX=1 -DOS_LINUX=1 -DMOZ_HAS_MOZGLUE -DMOZILLA_INTERNAL_API -DIMPL_LIBXUL -DSTATIC_EXPORTABLE_JS_API -I/builds/worker/checkouts/gecko/dom/media -I/builds/worker/workspace/obj-build/dom/media -I/builds/worker/checkouts/gecko/caps -I/builds/worker/checkouts/gecko/docshell/base -I/builds/worker/checkouts/gecko/dom/base -I/builds/worker/checkouts/gecko/dom/media/webrtc -I/builds/worker/checkouts/gecko/layout/generic -I/builds/worker/checkouts/gecko/layout/xul -I/builds/worker/checkouts/gecko/media/libyuv/libyuv/include -I/builds/worker/checkouts/gecko/netwerk/base -I/builds/worker/checkouts/gecko/toolkit/content/tests/browser -I/builds/worker/checkouts/gecko/dom/media/webrtc/common -I/builds/worker/checkouts/gecko/third_party/libwebrtc -I/builds/worker/checkouts/gecko/third_party/libwebrtc/third_party/abseil-cpp -I/builds/worker/workspace/obj-build/ipc/ipdl/_ipdlheaders -I/builds/worker/checkouts/gecko/ipc/chromium/src -I/builds/worker/workspace/obj-build/dist/include -I/builds/worker/workspace/obj-build/dist/include/nspr -I/builds/worker/workspace/obj-build/dist/include/nss -DMOZILLA_CLIENT -include /builds/worker/workspace/obj-build/mozilla-config.h -D_GLIBCXX_USE_CXX11_ABI=0 -fno-sized-deallocation -fno-aligned-new -fno-exceptions -fPIC -fno-rtti -ffunction-sections -fdata-sections -fno-exceptions -fno-math-errno -pthread -pipe -gdwarf-4 -freorder-blocks -Os -fno-omit-frame-pointer -funwind-tables -Werror -Wall -Wempty-body -Wignored-qualifiers -Wpointer-arith -Wsign-compare -Wtype-limits -Wunreachable-code -Wno-invalid-offsetof -Wno-error=deprecated -Wduplicated-cond -Wimplicit-fallthrough -Wlogical-op -Wno-error=maybe-uninitialized -Wno-error=deprecated-declarations -Wno-error=array-bounds -Wno-error=free-nonheap-object -Wformat -Wformat-overflow=2 -Wno-psabi -Wno-error=attributes -Werror=switch -fno-strict-aliasing -ffp-contract=off -MD -MP -MF .deps/Unified_cpp_dom_media2.o.pp Unified_cpp_dom_media2.cpp
[task 2023-05-16T06:08:52.777Z] 06:08:52 INFO - In file included from Unified_cpp_dom_media2.cpp:110:0:
[task 2023-05-16T06:08:52.777Z] 06:08:52 INFO - /builds/worker/checkouts/gecko/dom/media/MediaDevices.cpp: In member function 'bool mozilla::dom::MediaDevices::CanExposeInfo(mozilla::dom::MediaDeviceKind) const':
[task 2023-05-16T06:08:52.777Z] 06:08:52 ERROR - /builds/worker/checkouts/gecko/dom/media/MediaDevices.cpp:343:1: error: control reaches end of non-void function [-Werror=return-type]
[task 2023-05-16T06:08:52.777Z] 06:08:52 INFO - };
[task 2023-05-16T06:08:52.777Z] 06:08:52 INFO - ^
[task 2023-05-16T06:08:52.777Z] 06:08:52 INFO - cc1plus: all warnings being treated as errors
[task 2023-05-16T06:08:52.777Z] 06:08:52 ERROR - gmake[4]: *** [/builds/worker/checkouts/gecko/config/rules.mk:668: Unified_cpp_dom_media2.o] Error 1
[task 2023-05-16T06:08:52.777Z] 06:08:52 INFO - gmake[4]: Leaving directory '/builds/worker/workspace/obj-build/dom/media'
[task 2023-05-16T06:08:52.777Z] 06:08:52 INFO - gmake[4]: Target 'target-objects' not remade because of errors.
[task 2023-05-16T06:08:52.777Z] 06:08:52 ERROR - gmake[3]: *** [/builds/worker/checkouts/gecko/config/recurse.mk:72: dom/media/target-objects] Error 2
[task 2023-05-16T06:08:52.777Z] 06:08:52 INFO - gmake[4]: Entering directory '/builds/worker/workspace/obj-build/layout/ipc'
Updated•1 year ago
|
Assignee | ||
Comment 23•1 year ago
|
||
Depends on D177837
Comment 24•1 year ago
|
||
Assignee | ||
Updated•1 year ago
|
Comment 25•1 year ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/ea975297396d
https://hg.mozilla.org/mozilla-central/rev/55c6b85b37c1
https://hg.mozilla.org/mozilla-central/rev/b47fdabb6f86
https://hg.mozilla.org/mozilla-central/rev/8c51701fb02a
https://hg.mozilla.org/mozilla-central/rev/173f133fb868
https://hg.mozilla.org/mozilla-central/rev/016bced62d48
https://hg.mozilla.org/mozilla-central/rev/375bade19a5c
https://hg.mozilla.org/mozilla-central/rev/6c8c76da9ab7
https://hg.mozilla.org/mozilla-central/rev/364f837033b8
https://hg.mozilla.org/mozilla-central/rev/a809892ffbc5
Updated•1 year ago
|
Description
•