Bug 1431329 - If the tab in which the media player is running is in private browsing mode then we shall not display media playback notification.
59 bytes, text/x-review-board-request
Showing a notification containing stuff in private browsing mode makes it leak into the operating system. Custom android launcher as well as other software providing a backlog of notifications would allow unearthing parts of private browsing sessions. Background is an article about this happening for Chrome, but it's true for Fennec as well: https://www.androidpit.com/chrome-incognito-mode-not-as-private-as-you-think Focus is not affected, as it does not show any content-related notifications. Rating this as sec-low, as it requires a local attacker. It's common and easily done to protect a phone from unauthorized physical access.
Does this need to be behind a sec flag? Visibility might make this easier to fix.
You're right. This is public information.
[triage] Potentially critical - leaking private browsing information to the OS through notifications, which gets stored in a notification log on the device that users can access. Susheel, what do you think? fwiw, I recommend reading the article for full details on impact.
Priority: -- → P1
Up to Andreas.
Flags: needinfo?(sdaswani) → needinfo?(abovens)
Sorry for the delayed reply. This is probably something we should target for an upcoming release. 61, 62?
Flags: needinfo?(abovens) → needinfo?(bbermes)
Attachment #8967315 - Flags: review?(sdaswani) → review?(michael.l.comella)
Comment on attachment 8967315 [details] Bug 1431329 - If the tab in which the media player is running is in private browsing mode then we shall not display media playback notification. https://reviewboard.mozilla.org/r/236018/#review241950 This appears to do the trick: `updateNotification` is only called from `onStateChanged` so if we return on private tabs before `updateNotification` is called, we'll never display a notification in private browsing mode. Note that there's dead code in `updateNotification`: https://searchfox.org/mozilla-central/rev/4114ad2cfcbc511705c7865a4a34741812f9a2a9/mobile/android/base/java/org/mozilla/gecko/media/MediaControlService.java#370 And I probably would also throw in an assertion in `updateNotification` to ensure we're never getting a private tab. However, I don't think it's worth anyone's time to implement, re-review, etc. :) We're also logcatting that the media player is running https://searchfox.org/mozilla-central/rev/4114ad2cfcbc511705c7865a4a34741812f9a2a9/mobile/android/base/java/org/mozilla/gecko/media/MediaControlService.java#336 but we're not including URLs and logcat is mostly secure so I'm not too concerned about that.
Attachment #8967315 - Flags: review?(michael.l.comella) → review+
Pushed by email@example.com: https://hg.mozilla.org/integration/autoland/rev/6ea3c1db0060 If the tab in which the media player is running is in private browsing mode then we shall not display media playback notification. r=mcomella
Whiteboard: [Leanplum]  → [Leanplum] [adv-main61+]
Verified as fixed in Beta 61.0b15. Have watched a video on youtube and vimeo in private browsing mode and no media playback notification appeared. If any further testing is needed here, please let me know. Thanks
Whiteboard: [Leanplum] [adv-main61+] → [Leanplum] [adv-main61-]
You need to log in before you can comment on or make changes to this bug.