Open Bug 1490475 Opened 6 years ago Updated 2 years ago

deviceIds can be obtained cross-origin by a rogue content process

Categories

(Core :: Audio/Video: Recording, enhancement, P3)

enhancement

Tracking

()

Fission Milestone Future

People

(Reporter: tjr, Unassigned)

References

(Depends on 1 open bug, Blocks 1 open bug)

Details

In dom/media/systemservices/PMedia.ipdl, the GetPrincipalKey accepts a Principal and will return deviceIds based on that Principal.

A rogue Content Process could call this API with a fraudulent Principal and retrieve an identifier that would be able to link users cross-origin.  We should validate that the principal provided by the content process is permissible by the Content Process that supplied it.
Jan-Ivar, can you have a look at this ?
Flags: needinfo?(jib)
Priority: -- → P3
Depends on: fission-ipc-map
This appears to be part of a larger fission-ipc effort which will likely drive priority.

By itself, P3 seems appropriate, since the value of obtaining a different origin's deviceId seems very low, at least compared to related risks like our camera permission sandbox kludge which looks unchanged since bug 1177242 comment 8 and AFAICT still suffers from origin spoofing for users who have granted persistent permission to at least one site. It might benefit from bug 1491018. Tom, do we want a new bug on that?
Flags: needinfo?(jib) → needinfo?(tom)
(In reply to Jan-Ivar Bruaroey [:jib] (needinfo? me) from comment #2)
> This appears to be part of a larger fission-ipc effort which will likely
> drive priority.
> ...
> By itself, P3 seems appropriate

P3, yes.

> since the value of obtaining a different
> origin's deviceId seems very low, at least compared to related risks like
> our camera permission sandbox kludge which looks unchanged since bug 1177242
> comment 8 and AFAICT still suffers from origin spoofing for users who have
> granted persistent permission to at least one site. It might benefit from bug 1491018. Tom, do we want a new bug on that?

Yes, definetly. When we have more of Fission done, and Bug 1491018, we should be able to assertively validate the requesting origin for camera/mic access in the Parent, as well as prevent origin spoofing. I can file a bug if you like, but you'd probably be able to provide better details.
Flags: needinfo?(tom)
I think what you just said covers it, so if you could file it with the right blockers that would be great, thanks! :)
See Also: → 1492223

This bug is not a Fission MVP blocker.

Fission Milestone: --- → Future
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.