Open
Bug 1233846
Opened 9 years ago
Updated 2 years ago
WebSpeech Synthesis API mustn't allow fingerprinting
Categories
(Core :: Web Speech, defect, P3)
Tracking
()
NEW
People
(Reporter: kolan_n, Unassigned)
References
Details
(Keywords: privacy, Whiteboard: [fingerprinting][tor 10283][fp-triaged])
User Agent: Mozilla/5.0 (Windows NT 6.3; rv:46.0) Gecko/20100101 Firefox/46.0
Build ID: 20151218030232
Steps to reproduce:
speechSynthesis.getVoices()
Actual results:
It exposes info about TTS engines installed in the system
Expected results:
This can be used for fingerprinting. I suggest to redesign the API
1 speechSynthesis.getVoices() must be allowed only to addons with enough priveleges
2 Add speechSynthesis.getVoiceSelectorWidget() which should return a DOM node allowing the user to select speech engine but disallowing the webpage to see its internals.
3 events timing must be obfuscated by adding a random value from some range to them.
4 There should be a generalized TTS engine which will select and use another engines based on SSML tags.
|
||
Comment 2•9 years ago
|
||
Could you file this also as a spec bug?
https://www.w3.org/Bugs/Public/enter_bug.cgi?product=Speech%20API
(In reply to Olli Pettay [:smaug] from comment #2)
Done.
|
||
Updated•9 years ago
|
|
||
Updated•8 years ago
|
Blocks: uplift_tor_fingerprinting
|
||
Updated•7 years ago
|
|
|
||
Updated•7 years ago
|
Priority: -- → P5
Whiteboard: [fingerprinting] → [fingerprinting][fp-triaged]
|
||
Updated•7 years ago
|
Whiteboard: [fingerprinting][fp-triaged] → [fingerprinting][fp-triaged][tor 10283]
|
|
||
Updated•7 years ago
|
See Also: → 1485280
Summary: WebSpeech API mustn't allow fingerprinting → WebSpeech Synthesis API mustn't allow fingerprinting
|
|
||
Updated•6 years ago
|
Whiteboard: [fingerprinting][fp-triaged][tor 10283] → [fingerprinting][tor 10283]
|
|
||
Updated•6 years ago
|
No longer blocks: uplift_tor_fingerprinting
Priority: P5 → P3
Whiteboard: [fingerprinting][tor 10283] → [fingerprinting][tor 10283][fp-triaged]
|
||
Updated•3 years ago
|
Severity: normal → S3
|
|
||
Comment 5•2 years ago
|
||
This has never been addressed by the spec. In RFP we report an empty list of voices.
|
||
Comment 6•2 years ago
|
||
You need to log in
before you can comment on or make changes to this bug.
Description
•