WebSpeech API mustn't allow fingerprinting

NEW
Unassigned

Status

()

Core
Web Speech
P5
normal
3 years ago
7 months ago

People

(Reporter: KOLANICH, Unassigned)

Tracking

(Blocks: 1 bug, {privacy})

46 Branch
privacy
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [fingerprinting][fp-triaged])

(Reporter)

Description

3 years ago
User Agent: Mozilla/5.0 (Windows NT 6.3; rv:46.0) Gecko/20100101 Firefox/46.0
Build ID: 20151218030232

Steps to reproduce:

speechSynthesis.getVoices()


Actual results:

It exposes info about TTS engines installed in the system


Expected results:

This can be used for fingerprinting. I suggest to redesign the API
1 speechSynthesis.getVoices() must be allowed only to addons with enough priveleges
2 Add speechSynthesis.getVoiceSelectorWidget() which should return a DOM node allowing the user to select speech engine but disallowing the webpage to see its internals.
3 events timing must be obfuscated by adding a random value from some range to them.
(Reporter)

Updated

3 years ago
Component: Untriaged → Web Speech
Product: Firefox → Core
(Reporter)

Comment 1

3 years ago
4 There should be a generalized TTS engine which will select and use another engines based on SSML tags.

Comment 2

3 years ago
Could you file this also as a spec bug?

https://www.w3.org/Bugs/Public/enter_bug.cgi?product=Speech%20API
(Reporter)

Comment 3

3 years ago
(In reply to Olli Pettay [:smaug] from comment #2)
Done.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: privacy
Whiteboard: [fingerprinting]

Updated

a year ago
Blocks: 1329996

Updated

7 months ago
Priority: -- → P5
Whiteboard: [fingerprinting] → [fingerprinting][fp-triaged]
You need to log in before you can comment on or make changes to this bug.