Bug 1642729 Comment 14 Edit History

Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.

(In reply to Tom Ritter [:tjr] (ni for response to sec-[approval|rating|advisories|cve]) from comment #12)
> We would definitely want to ensure the image is downloaded credential-less and using the Null principal. Christoph can review/guide you on how to make sure that is the case. We would want to restrict the schemes allowed, it should only be http/https - no about: or file:// or otherwise.

The current implementation skips the URL starts with "file://". It's easy to add a check to skip "about:" as well. The passed URL will be loaded via `asyncOpen` in `nsIChannel`. For `http` or `https` case, [`nsHttpChannel::AsyncOpen`](https://searchfox.org/mozilla-central/rev/82c04b9cad5b98bdf682bd477f2b1e3071b004ad/netwerk/protocol/http/nsHttpChannel.cpp#6469) will be called. It seems there is some [*content security check*](https://searchfox.org/mozilla-central/rev/82c04b9cad5b98bdf682bd477f2b1e3071b004ad/netwerk/protocol/http/nsHttpChannel.cpp#6471-6472) is done there.

> If we're already sending media data over this interface I feel like web tracking is not really coming into play here?

Currently (without adding the patches here), the information sent over *MPRIS* includes *track title*, *track artist*, and *album name*, without checking the `privacy.trackingprotection.enabled`. 

What the patches here do is to pack a *path to a local image file* to the information sent over the MPRIS as well, besides the track info above. So maybe we can skip checking `privacy.trackingprotection.enabled` and focus on what permission we should set for a temp file created on Linux?

> This entire feature should be behind a pref 'just in case'.

For now, this feature is behind [`dom.media.mediasession.enabled`](https://searchfox.org/mozilla-central/rev/82c04b9cad5b98bdf682bd477f2b1e3071b004ad/modules/libpref/init/StaticPrefList.yaml#2153-2157), which is only enabled in Firefox Nightly.
(In reply to Tom Ritter [:tjr] (ni for response to sec-[approval|rating|advisories|cve]) from comment #12)
> We would definitely want to ensure the image is downloaded credential-less and using the Null principal. Christoph can review/guide you on how to make sure that is the case. We would want to restrict the schemes allowed, it should only be http/https - no about: or file:// or otherwise.

The current implementation skips the URL starts with `file://`. It's easy to add a check to skip `about:` as well. The passed URL will be loaded via `asyncOpen` in `nsIChannel`. For `http` or `https` case, [`nsHttpChannel::AsyncOpen`](https://searchfox.org/mozilla-central/rev/82c04b9cad5b98bdf682bd477f2b1e3071b004ad/netwerk/protocol/http/nsHttpChannel.cpp#6469) will be called. It seems there is some [*content security check*](https://searchfox.org/mozilla-central/rev/82c04b9cad5b98bdf682bd477f2b1e3071b004ad/netwerk/protocol/http/nsHttpChannel.cpp#6471-6472) is done there.

> If we're already sending media data over this interface I feel like web tracking is not really coming into play here?

Currently (without adding the patches here), the information sent over *MPRIS* includes *track title*, *track artist*, and *album name*, without checking the `privacy.trackingprotection.enabled`. 

What the patches here do is to pack a *path to a local image file* to the information sent over the MPRIS as well, besides the track info above. So maybe we can skip checking `privacy.trackingprotection.enabled` and focus on what permission we should set for a temp file created on Linux?

> This entire feature should be behind a pref 'just in case'.

For now, this feature is behind [`dom.media.mediasession.enabled`](https://searchfox.org/mozilla-central/rev/82c04b9cad5b98bdf682bd477f2b1e3071b004ad/modules/libpref/init/StaticPrefList.yaml#2153-2157), which is only enabled in Firefox Nightly.
(In reply to Tom Ritter [:tjr] (ni for response to sec-[approval|rating|advisories|cve]) from comment #12)
> We would definitely want to ensure the image is downloaded credential-less and using the Null principal. Christoph can review/guide you on how to make sure that is the case. We would want to restrict the schemes allowed, it should only be http/https - no about: or file:// or otherwise.

The current implementation [skips the URL starts with `file://`](https://phabricator.services.mozilla.com/D80303?id=310028#C2786628NL770). It's easy to add a check to skip `about:` as well. The passed URL will be loaded via `asyncOpen` in `nsIChannel`. For `http` or `https` case, [`nsHttpChannel::AsyncOpen`](https://searchfox.org/mozilla-central/rev/82c04b9cad5b98bdf682bd477f2b1e3071b004ad/netwerk/protocol/http/nsHttpChannel.cpp#6469) will be called. It seems there is some [*content security check*](https://searchfox.org/mozilla-central/rev/82c04b9cad5b98bdf682bd477f2b1e3071b004ad/netwerk/protocol/http/nsHttpChannel.cpp#6471-6472) is done there.

> If we're already sending media data over this interface I feel like web tracking is not really coming into play here?

Currently (without adding the patches here), the information sent over *MPRIS* includes *track title*, *track artist*, and *album name*, without checking the `privacy.trackingprotection.enabled`. 

What the patches here do is to pack a *path to a local image file* to the information sent over the MPRIS as well, besides the track info above. So maybe we can skip checking `privacy.trackingprotection.enabled` and focus on what permission we should set for a temp file created on Linux?

> This entire feature should be behind a pref 'just in case'.

For now, this feature is behind [`dom.media.mediasession.enabled`](https://searchfox.org/mozilla-central/rev/82c04b9cad5b98bdf682bd477f2b1e3071b004ad/modules/libpref/init/StaticPrefList.yaml#2153-2157), which is only enabled in Firefox Nightly.
(In reply to Tom Ritter [:tjr] (ni for response to sec-[approval|rating|advisories|cve]) from comment #12)
> We would definitely want to ensure the image is downloaded credential-less and using the Null principal. Christoph can review/guide you on how to make sure that is the case. We would want to restrict the schemes allowed, it should only be http/https - no about: or file:// or otherwise.

The current implementation [skips the URL starts with `file://`](https://phabricator.services.mozilla.com/D80303?id=310028#C2786628NL770). It's easy to add a check to skip `about:` as well. The passed URL will be loaded via `asyncOpen` in `nsIChannel`. For `http` or `https` case, [`nsHttpChannel::AsyncOpen`](https://searchfox.org/mozilla-central/rev/82c04b9cad5b98bdf682bd477f2b1e3071b004ad/netwerk/protocol/http/nsHttpChannel.cpp#6469) will be called. It seems some [*content security check*](https://searchfox.org/mozilla-central/rev/82c04b9cad5b98bdf682bd477f2b1e3071b004ad/netwerk/protocol/http/nsHttpChannel.cpp#6471-6472) is done there.

> If we're already sending media data over this interface I feel like web tracking is not really coming into play here?

Currently (without adding the patches here), the information sent over *MPRIS* includes *track title*, *track artist*, and *album name*, without checking the `privacy.trackingprotection.enabled`. 

What the patches here do is to pack a *path to a local image file* to the information sent over the MPRIS as well, besides the track info above. So maybe we can skip checking `privacy.trackingprotection.enabled` and focus on what permission we should set for a temp file created on Linux?

> This entire feature should be behind a pref 'just in case'.

For now, this feature is behind [`dom.media.mediasession.enabled`](https://searchfox.org/mozilla-central/rev/82c04b9cad5b98bdf682bd477f2b1e3071b004ad/modules/libpref/init/StaticPrefList.yaml#2153-2157), which is only enabled in Firefox Nightly.

Back to Bug 1642729 Comment 14