1233846 - WebSpeech Synthesis API mustn't allow fingerprinting

Status: NEW

(Core :: Web Speech, defect, P3)

Description

[KOLANICH]

User Agent: Mozilla/5.0 (Windows NT 6.3; rv:46.0) Gecko/20100101 Firefox/46.0
Build ID: 20151218030232

Steps to reproduce:

speechSynthesis.getVoices()


Actual results:

It exposes info about TTS engines installed in the system


Expected results:

This can be used for fingerprinting. I suggest to redesign the API
1 speechSynthesis.getVoices() must be allowed only to addons with enough priveleges
2 Add speechSynthesis.getVoiceSelectorWidget() which should return a DOM node allowing the user to select speech engine but disallowing the webpage to see its internals.
3 events timing must be obfuscated by adding a random value from some range to them.

Comment 1

[KOLANICH]

4 There should be a generalized TTS engine which will select and use another engines based on SSML tags.

Comment 2

[Olli Pettay [:smaug][bugs@pettay.fi]]

Could you file this also as a spec bug?

https://www.w3.org/Bugs/Public/enter_bug.cgi?product=Speech%20API

Comment 3

[KOLANICH]

(In reply to Olli Pettay [:smaug] from comment #2)
Done.

Comment 5

[Tom Ritter [:tjr] (OOTO until 4/30 at least)]

This has never been addressed by the spec. In RFP we report an empty list of voices.

Comment 6

[Simon Mainey]

see also https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41127