Bug 1797020 Comment 4 Edit History

Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.

Initial telemetry indicates that, after [blocklisting the builtin synth on Windows](bug 1798097), only about 3% of windows and mac Nightly users have MIDI devices connected. Most (~85%) Linux users have a (likely virtual) device [1].

As such, auto-denying MIDI access in the absence of devices should result in an order-of-magnitude reduction in the number of users who might experience nuisance prompts. The patches here randomize the auto-deny time to make it harder for sites to use timing attacks to infer the existence or non-existence of devices.

[1] Emilio did some local testing across Fedora, Ubuntu, and Arch and found that each of them exposes a device called "Midi Through". In contrast to the situation on Windows, Chrome exposes this device, so we should probably do the same for compat reasons.
Initial telemetry indicates that, after blocklisting the builtin synth on Windows (bug 1798097), only about 3% of windows and mac Nightly users have MIDI devices connected. Most (~85%) Linux users have a (likely virtual) device [1].

As such, auto-denying MIDI access in the absence of devices should result in an order-of-magnitude reduction in the number of users who might experience nuisance prompts. The patches here randomize the auto-deny time to make it harder for sites to use timing attacks to infer the existence or non-existence of devices.

[1] Emilio did some local testing across Fedora, Ubuntu, and Arch and found that each of them exposes a device called "Midi Through". In contrast to the situation on Windows, Chrome exposes this device, so we should probably do the same for compat reasons.

Back to Bug 1797020 Comment 4