WebRTC: Error recording remote media stream (Security Error: operation is insecure)
Categories
(Core :: Audio/Video: Recording, defect, P3)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox72 | --- | fixed |
People
(Reporter: AirMike23, Assigned: pehrsons)
References
Details
Attachments
(5 files)
|
||
Comment 1•9 years ago
|
||
|
||
Comment 2•9 years ago
|
||
|
Assignee | |
Comment 3•9 years ago
|
||
|
|
||
Comment 4•9 years ago
|
||
|
||
Comment 5•7 years ago
|
||
|
||
Comment 8•5 years ago
|
||
Has any progress been made towards fixing this bug?
|
||
Updated•5 years ago
|
|
|
||
Comment 9•5 years ago
|
||
Do you have room on your plate for this? This is the cause of one of our more common intermittent test failures.
|
|
Assignee | |
Comment 10•5 years ago
•
|
||
What do you suggest I do here?
The only known bug I'm aware of is that "unmute" may fire before the principal has propagated, but isn't that another bug?
Otherwise, we're to spec, no?
|
|
||
Comment 11•5 years ago
|
||
(In reply to Andreas Pehrson [:pehrsons] from comment #10)
What do you suggest I do here?
The only known bug I'm aware of is that "unmute" may fire before the principal has propagated, but isn't that another bug?
Otherwise, we're to spec, no?
Has the stuff you've described in comment 3 already been done, or ruled out?
|
|
Assignee | |
Comment 12•5 years ago
|
||
(In reply to Byron Campen [:bwc] from comment #11)
(In reply to Andreas Pehrson [:pehrsons] from comment #10)
What do you suggest I do here?
The only known bug I'm aware of is that "unmute" may fire before the principal has propagated, but isn't that another bug?
Otherwise, we're to spec, no?Has the stuff you've described in comment 3 already been done, or ruled out?
Inlining my answers into comment 3.
(In reply to Andreas Pehrson [:pehrsons] from comment #3)
I agree with Martin's analysis on what's happening, I even saw the code for
this the other day.There's an issue noted in the spec elaborating a bit on this. See the bottom
of 5.1.3 at [1].
This issue is gone from the latest webrtc-pc draft. jib or bwc, do you know what this was resolved as? (Since the issue ended with "For now, we simply make note of this issue, until it can be considered fully by the WG.")
The workaround Martin mentions is actually more of a proper fix IMO;
MediaRecorder should just check the principal when it starts recording,
i.e., when data is available on the stream and it raises the "start" event,
see [2].
The MediaRecorder spec defines what to do here now, and it will throw a SecurityError in start(). To me this means we're doing the right thing, modulo the potential "unmute" bug mentioned in comment 10, and our lack of the "isolationchange" event that's supposed to notify content that it's ok to use the tracks per bug 1475360. If we think the above is the right approach it would deserve some spec work IMO.
Our webidl for MediaRecorder has [Throws] on each method though the spec
says none of them should throw. We should remove the throwing and fix this
issue at the same time. MediaRecorder has an "error" event we can use
instead of any throwing. Perhaps something you want to look at if you're
doing MediaRecorder work Maire?[1]
https://w3c.github.io/webrtc-pc/archives/20151006/webrtc.html#processing-
remote-mediastreamtracks
[2]
http://w3c.github.io/mediacapture-record/MediaRecorder.html#widl-
MediaRecorder-start-void-long-timeslice
|
|
||
Comment 13•5 years ago
|
||
Ok, so I guess the "right" way of fixing this is to fix bug 1475360, and then modify our test code to pay attention to that.
We might be able to work around by adding a short delay.
|
|
Assignee | |
Comment 14•5 years ago
|
||
For now making sure "unmute" fires after the principal has been fully updated would also work. If we modify our tests to look for that.
|
|
||
Comment 15•5 years ago
|
||
There's nothing in the spec that says anything about the timing of "unmute" vs the update of the principal, unfortunately.
|
|
||
Comment 16•5 years ago
|
||
When the "remote" stream is in fact a local PeerConnection why is there a "Security Error" thrown at all by MediaRecorder?
|
|
||
Comment 17•5 years ago
|
||
(In reply to guest271314 from comment #16)
When the "remote" stream is in fact a local
PeerConnectionwhy is there a "Security Error" thrown at all byMediaRecorder?
Because the PeerConnection API is not designed to disable this checking if both ends happen to be running in the same tab. This is also why the media being passed between the two PeerConnections is encrypted, regardless of where those PeerConnections actually are. PeerConnection is, at its heart, an API that starts with the assumption that peer-to-peer media is being exchanged between two different browser instances (or, a browser instance and some external media entity like a gateway).
|
|
||
Comment 18•5 years ago
|
||
(In reply to Byron Campen [:bwc] from comment #17)
(In reply to guest271314 from comment #16)
When the "remote" stream is in fact a local
PeerConnectionwhy is there a "Security Error" thrown at all byMediaRecorder?Because the PeerConnection API is not designed to disable this checking if both ends happen to be running in the same tab.
Can that be changed to reflect the case where the sole purpose of using PeerConnection is for the functionality of RTCRtpSender.replaceTrack() to overcome the currently specified limitations of MediaRecorder?
This is also why the media being passed between the two PeerConnections is encrypted, regardless of where those PeerConnections actually are. PeerConnection is, at its heart, an API that starts with the assumption that peer-to-peer media is being exchanged between two different browser instances (or, a browser instance and some external media entity like a gateway).
What are the security implications of two instances of RTCPeerConnection being used at the same tab in the same browser; that is, when the initial assumption that peer-to-peer media is being exchanged between two different browser instances, is not the case?
|
|
||
Comment 19•5 years ago
|
||
(In reply to guest271314 from comment #18)
(In reply to Byron Campen [:bwc] from comment #17)
(In reply to guest271314 from comment #16)
When the "remote" stream is in fact a local
PeerConnectionwhy is there a "Security Error" thrown at all byMediaRecorder?Because the PeerConnection API is not designed to disable this checking if both ends happen to be running in the same tab.
Can that be changed to reflect the case where the sole purpose of using
PeerConnectionis for the functionality ofRTCRtpSender.replaceTrack()to overcome the currently specified limitations ofMediaRecorder?
No, because doing so would violate the w3c specification. What you're doing is not a use-case that the PeerConnection API was designed for, so I'm afraid you're going to have to live with some friction, or find another way to do what you want.
|
|
||
Comment 20•5 years ago
|
||
(In reply to Byron Campen [:bwc] from comment #19)
(In reply to guest271314 from comment #18)
(In reply to Byron Campen [:bwc] from comment #17)
(In reply to guest271314 from comment #16)
When the "remote" stream is in fact a local
PeerConnectionwhy is there a "Security Error" thrown at all byMediaRecorder?Because the PeerConnection API is not designed to disable this checking if both ends happen to be running in the same tab.
Can that be changed to reflect the case where the sole purpose of using
PeerConnectionis for the functionality ofRTCRtpSender.replaceTrack()to overcome the currently specified limitations ofMediaRecorder?No, because doing so would violate the w3c specification. What you're doing is not a use-case that the PeerConnection API was designed for, so I'm afraid you're going to have to live with some friction, or find another way to do what you want.
The W3C specification has been and is constantly being changed.
That does not answer the question as to what the security implications of RTCPeerConnection being used at the same tab at the same browser are.
|
|
||
Comment 21•5 years ago
|
||
(In reply to guest271314 from comment #20)
(In reply to Byron Campen [:bwc] from comment #19)
(In reply to guest271314 from comment #18)
(In reply to Byron Campen [:bwc] from comment #17)
(In reply to guest271314 from comment #16)
When the "remote" stream is in fact a local
PeerConnectionwhy is there a "Security Error" thrown at all byMediaRecorder?Because the PeerConnection API is not designed to disable this checking if both ends happen to be running in the same tab.
Can that be changed to reflect the case where the sole purpose of using
PeerConnectionis for the functionality ofRTCRtpSender.replaceTrack()to overcome the currently specified limitations ofMediaRecorder?No, because doing so would violate the w3c specification. What you're doing is not a use-case that the PeerConnection API was designed for, so I'm afraid you're going to have to live with some friction, or find another way to do what you want.
The W3C specification has been and is constantly being changed.
That does not answer the question as to what the security implications of
RTCPeerConnectionbeing used at the same tab at the same browser are.
What you're trying to do here is very far outside the scope of what the webrtc-pc working group was chartered to do. You might have some luck trying to get a "seamless switching" feature incorporated into the MediaRecorder spec, however.
|
||
Comment 22•5 years ago
|
||
(In reply to Andreas Pehrson [:pehrsons] from comment #12)
This issue is gone from the latest webrtc-pc draft. jib or bwc, do you know what this was resolved as?
The section was deleted here. The conclusion was that early media cannot happen. Specifically: packets cannot arrive before the DTLS fingerprint. Thus, listening to the mute event should suffice, according to webrtc-pc, which says to fire the event when it "receives data on an RTP source".
It sounds from bug 1542616 comment 17 that we fire unmute before the principal is ready (or set the principal too late).
I've verified this using this fiddle where I wait for unmute, and I still get SecurityError. That's the bug to fix.
|
|
||
Comment 23•5 years ago
|
||
Oddly, to work around this, I find I have to wait as much as 1000 ms! What can possibly take that long?
|
|
Assignee | |
Comment 24•5 years ago
|
||
It must be content, see https://bugzilla.mozilla.org/show_bug.cgi?id=1542616#c17
If you want more details, MediaStreamTrack logs should shine some light on what's happening.
If early media cannot happen, would it be an option to start with a friendly principal and when dtls is conncected switch to the secure one if needed? Becoming secure would be immediate (on main thread) since a secure and friendly principal merge into a secure one.
A track can start with any principal, but a change later on requires verification in content to guarantee that no content leaks under the wrong principal.
|
|
||
Comment 25•5 years ago
|
||
(In reply to Andreas Pehrson [:pehrsons] from comment #24)
It must be content, see https://bugzilla.mozilla.org/show_bug.cgi?id=1542616#c17
If you want more details, MediaStreamTrack logs should shine some light on what's happening.If early media cannot happen, would it be an option to start with a friendly principal and when dtls is conncected switch to the secure one if needed? Becoming secure would be immediate (on main thread) since a secure and friendly principal merge into a secure one.
Hmm. I guess that would work.
|
|
||
Comment 26•5 years ago
|
||
Yeah that might work. But if principal changes still have this 1 second delay, then we need to ensure we don't leak the initial frame(s) of media isolated by peerIdentity.
|
|
Assignee | |
Comment 27•5 years ago
|
||
Like I said, making it more secure is immediate. The only trick is to set the principal on main thread before adding the first frame on whatever other thread, at least if that frame was meant to go with a secure principal.
|
|
Assignee | |
Updated•5 years ago
|
|
|
Assignee | |
Comment 28•5 years ago
|
||
Byron: do we have a way to test in automation the case where peerIdentity is not set but the ALPN negotiation still tells us that privacy is requested?
|
|
Assignee | |
Comment 29•5 years ago
|
||
Apart from testing that case, this is getting ready: https://treeherder.mozilla.org/#/jobs?repo=try&revision=1a5be6c6542f823104b07b606bd708527534d9bf
|
|
||
Comment 30•5 years ago
|
||
(In reply to Andreas Pehrson [:pehrsons] from comment #28)
Byron: do we have a way to test in automation the case where peerIdentity is not set but the ALPN negotiation still tells us that privacy is requested?
I don't see a way to do that right now, no.
|
|
Assignee | |
Comment 31•5 years ago
|
||
|
|
Assignee | |
Comment 32•5 years ago
|
||
Depends on D48944
|
|
Assignee | |
Comment 33•5 years ago
|
||
This patch fixes two things:
- A potential threading issue in setting and reading the PrincipalHandle for
MediaPipelineReceiveVideo. - Plumbs the PrincipalHandle down to the receiving MediaPipelines right from
the start. It hasn't been necessary in the past as initially the principal
handed to a track's constructor is trusted, but it's good form and will help
clarify the situation for the next patch which switches the initial
principal from always-private to mostly-non-private. In most cases this
principal does no longer get updated after the track's been created, so it
helps to have a PrincipalHandle that matches the track's principal.
Depends on D48945
|
|
Assignee | |
Comment 34•5 years ago
|
||
This swaps things around so that received tracks in peer connections have a
content principal instead of a null principal initially.
This puts an extra requirement on us to not output any frames under the content
principal after ALPN has been negotiated with requested privacy, but before this
private principal has been signaled to the MediaPipelines. The private principal
is signaled from the STS thread, via the main thread, whereas media is consumed
directly by MediaPipelines after being received on the STS thread.
This patch adds an extra signaling path to tell MediaPipelines to wait for a
private principal before adding data into the graph, that is signaled directly
from the STS thread.
This lets all MediaStream and MediaStreamTrack APIs consume received tracks
directly after getting exposed to JS without errors. In case privacy is later
requested, consumers that have already been set up must handle this on the fly.
Depends on D48946
|
|
||
Comment 35•5 years ago
|
||
Thanks for taking this on Andreas, this is the shape of the fix that I had always wanted to have, but didn't have the guts to attempt.
|
|
Assignee | |
Comment 36•5 years ago
|
||
nsISerialEventTarget is more semantically accurate for these uses, as the
dispatched runnables cannot run in parallel. It also allows us to use
InvokeAsync in future patches, as that function only takes nsISerialEventTarget.
Depends on D48946
|
|
||
Comment 37•5 years ago
|
||
I'm going to wait until this lands before landing bug 1588588, since there are going to be conflicts.
|
||
Updated•5 years ago
|
|
||
Comment 38•5 years ago
|
||
|
||
Comment 39•5 years ago
|
||
Backed out 7 changesets (Bug 1212237, Bug 1588055) for mochitest failures at test_peerConnection_recordReceiveTrack.html.
Backout: https://hg.mozilla.org/integration/autoland/rev/37769ce983ece0ad9e7213b675dbfef5ee1c8b7d
Push that started the failures: https://treeherder.mozilla.org/#/jobs?repo=autoland&resultStatus=pending%2Crunning%2Csuccess%2Ctestfailed%2Cbusted%2Cexception&revision=15f2829db807a503a42e8d35ab5cbdf6f05d65fe
Failure log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=274727458&repo=autoland&lineNumber=3148
|
|
Assignee | |
Comment 40•5 years ago
|
||
This might be because those devices are using hw decoders, whose frames the MediaRecorder cannot access the pixels of yet.
|
|
||
Comment 41•5 years ago
|
||
|
||
Comment 42•5 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/9ded4b6c5fba
https://hg.mozilla.org/mozilla-central/rev/14b3d64aeba9
https://hg.mozilla.org/mozilla-central/rev/f828ded989ea
https://hg.mozilla.org/mozilla-central/rev/fafd810651ef
https://hg.mozilla.org/mozilla-central/rev/28a50db0c006
Description
•