1420809 - Permissions that are perpetually denied should not return Reject immediately

Status: NEW

(Core :: Security, enhancement, P3)

Description

[Tom Ritter [:tjr]]

As discussed in https://bugzilla.mozilla.org/show_bug.cgi?id=1381628#c23, if we delay the (rejection) response to a permanently denied permission, we can *sometimes* make it difficult for a site to learn that its permission has been perpetually denied. This avoids data leakage about the user's behavior and removes a tracking aspect.

Comment 1

[Johann Hofmann [:johannh]]

I think this should be restricted to privacy.resistFingerprinting = true

Comment 2

[Tom Ritter [:tjr]]

How come? It seems like this is pretty safe to do by default. (No UI for the user, no risk of web incompat or breaking sites...)

Comment 3

[Johann Hofmann [:johannh]]

Yeah, you're probably right. I initially thought we would add this to the permission manager API and was a little concerned about the large artificial delay, but I don't think it's viable to do that. To provide a bit more context:

We have (expired) Telemetry on user reaction to permission prompts: https://mzl.la/2ABJWPF

According to this, a significant portion of users respond between 1.24s and 6.17s (it's very evenly distributed in that range).

Because of the massive internal usage and since it's a synchronous API, adding this delay to the Permission Manager functions is probably not what we want. Unless we figure out something different, we'll have to implement the feature individually for the different DOM APIs that are exposing permission checks to the web. Which is probably a lot of work, and we have to watch every new API to make sure they add the same measures. And I start to believe this bug might want to live in a different component, such as Firefox::Security.