Closed
Bug 1497141
Opened 6 years ago
Closed 6 years ago
FeaturePolicy: camera and microphone
Categories
(Core :: DOM: Security, enhancement)
Core
DOM: Security
Tracking
()
RESOLVED
FIXED
mozilla64
| Tracking | Status | |
|---|---|---|
| firefox64 | --- | fixed |
People
(Reporter: baku, Assigned: baku)
References
Details
(Keywords: dev-doc-complete, Whiteboard: [domsecurity-backlog1] [domsecurity-active])
Attachments
(3 files, 2 obsolete files)
|
3.67 KB,
patch
|
jib
:
review+
|
Details | Diff | Splinter Review |
|
5.84 KB,
patch
|
jib
:
review+
|
Details | Diff | Splinter Review |
|
3.98 KB,
patch
|
jib
:
review+
|
Details | Diff | Splinter Review |
FeaturePolicy support for camera and microphone
|
Assignee | |
Updated•6 years ago
|
|
|
Assignee | |
Comment 1•6 years ago
|
||
Attachment #9015198 -
Flags: review?(jib)
|
|
Assignee | |
Comment 2•6 years ago
|
||
Attachment #9015199 -
Flags: review?(jib)
|
|
Assignee | |
Comment 3•6 years ago
|
||
Attachment #9015200 -
Flags: review?(jib)
|
||
Comment 4•6 years ago
|
||
Comment on attachment 9015198 [details] [diff] [review]
part 1 - camera
Review of attachment 9015198 [details] [diff] [review]:
-----------------------------------------------------------------
I'd like to see it again over the doc check.
::: dom/media/MediaManager.cpp
@@ +2891,5 @@
> + if (Preferences::GetBool("media.getusermedia.camera.deny", false)) {
> + videoPerm = nsIPermissionManager::DENY_ACTION;
> + }
> +
> + if (videoPerm == nsIPermissionManager::UNKNOWN_ACTION) {
Nit: any reason not to prefer a simpler `} else {` here?
@@ +2894,5 @@
> +
> + if (videoPerm == nsIPermissionManager::UNKNOWN_ACTION) {
> + nsIDocument* doc = aWindow->GetExtantDoc();
> + if (!doc ||
> + !dom::FeaturePolicyUtils::IsFeatureAllowed(doc, NS_LITERAL_STRING("camera"))) {
If doc is nullptr here I think we want to err on the side of DENY_ACTION, to avoid potential timing exploits.
Or better, don't check doc at all and crash instead, since there's some precedence here for that [1]
Or if you prefer, make `doc` invariant by creating it earlier in this function and bail there if it's nullptr (or MOZ_RELEASE_ASSERT).
[1] https://searchfox.org/mozilla-central/rev/5786b9be9f887ed371c804e786081b476a403104/dom/media/MediaManager.cpp#3320
@@ +2899,5 @@
> + videoPerm = nsIPermissionManager::DENY_ACTION;
> + }
> + }
> +
> + if (videoPerm == nsIPermissionManager::UNKNOWN_ACTION) {
...then we could use `} else {` here too.
@@ +2908,3 @@
> } else {
> rv = permManager->TestExactPermissionFromPrincipal(
> + principal, "screen", &videoPerm);
Ideally, we'd want feature policy to control screen sharing as well:
dom::FeaturePolicyUtils::IsFeatureAllowed(doc, NS_LITERAL_STRING("display")
...if that's ready? https://github.com/w3c/permissions/issues/182
We can add that later too I suppose.
@@ +4141,5 @@
> }
> +
> + nsIDocument* doc = window->GetExtantDoc();
> + if (!doc ||
> + !dom::FeaturePolicyUtils::IsFeatureAllowed(doc, NS_LITERAL_STRING("camera"))) {
Same here, we should either crash, bail early (with false), or err on the side of DENY if `doc` is null.
Attachment #9015198 -
Flags: review?(jib) → review-
|
|
||
Comment 5•6 years ago
|
||
Comment on attachment 9015199 [details] [diff] [review]
part 2 - microphone
Review of attachment 9015199 [details] [diff] [review]:
-----------------------------------------------------------------
Ah, in this patch you use the pattern I meant, but would like it in GetUserMedia() also.
::: dom/media/MediaManager.cpp
@@ +2879,5 @@
> Preferences::GetBool("media.getusermedia.microphone.deny", false)) {
> audioPerm = nsIPermissionManager::DENY_ACTION;
> } else {
> + nsIDocument* doc = aWindow->GetExtantDoc();
> + if (!doc ||
same here.
@@ +4146,5 @@
> +
> + auto* principal = window->GetPrincipal();
> + if (NS_WARN_IF(!principal)) {
> + return false;
> + }
Like this!
@@ +4154,5 @@
> {
> + if (!dom::FeaturePolicyUtils::IsFeatureAllowed(doc, NS_LITERAL_STRING("microphone"))) {
> + audio = nsIPermissionManager::DENY_ACTION;
> + } else {
> + rv = mgr->TestExactPermissionFromPrincipal(principal, "microphone", &audio);
Just curious, did you consider putting the feature policy check inside TestExactPermissionFromPrincipal? Maybe with doc as required arg?
Attachment #9015199 -
Flags: review?(jib) → review-
|
|
||
Comment 6•6 years ago
|
||
Comment on attachment 9015200 [details] [diff] [review]
part 3 - WPTs
Review of attachment 9015200 [details] [diff] [review]:
-----------------------------------------------------------------
Awesome!
Attachment #9015200 -
Flags: review?(jib) → review+
|
|
Assignee | |
Comment 7•6 years ago
|
||
> ...if that's ready? https://github.com/w3c/permissions/issues/182
>
> We can add that later too I suppose.
Right. Another one we should add is 'speaker'. Maybe I'll ping you on IRC to know what's the best way to do it. AudioChannelServie maybe?
|
|
Assignee | |
Comment 8•6 years ago
|
||
> Just curious, did you consider putting the feature policy check inside
> TestExactPermissionFromPrincipal? Maybe with doc as required arg?
This is a very good idea! I'll think about it as a follow up.
|
|
Assignee | |
Comment 9•6 years ago
|
||
Attachment #9015198 -
Attachment is obsolete: true
Attachment #9015447 -
Flags: review?(jib)
|
|
Assignee | |
Comment 10•6 years ago
|
||
Attachment #9015199 -
Attachment is obsolete: true
Attachment #9015448 -
Flags: review?(jib)
|
|
||
Updated•6 years ago
|
Attachment #9015447 -
Flags: review?(jib) → review+
|
|
||
Comment 11•6 years ago
|
||
Comment on attachment 9015448 [details] [diff] [review]
part 2 - microphone
Review of attachment 9015448 [details] [diff] [review]:
-----------------------------------------------------------------
::: dom/media/MediaManager.cpp
@@ +2887,5 @@
> + audioPerm = nsIPermissionManager::DENY_ACTION;
> + } else {
> + rv = permManager->TestExactPermissionFromPrincipal(
> + principal, "microphone", &audioPerm);
> + NS_ENSURE_SUCCESS(rv, rv);
Looks good, just noting a behavior change here.
Before this patch, the MediaSourceEnum::Microphone test applied only to the deny pref, and we ran the "microphone" persisted permission test for all audio types.
This patch changes that behavior to skip the "microphone" persisted permission test for the behind-pref MediaSourceEnum::AudioCapture.
This is good. If ever re-enabled, new thinking is MediaSourceEnum::AudioCapture would be covered under getDisplayMedia where audio is covered by the same permission as video. [1]
I can either open a new bug on this, or feel free to add the test for "screen" similar to how you do it in the other patch (we should rename "screen" to "display" at some point I suppose, but that might require some more thought).
[1] https://github.com/w3c/permissions/issues/182
Attachment #9015448 -
Flags: review?(jib) → review+
|
||
Comment 12•6 years ago
|
||
Pushed by amarchesini@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/7757f7200917
FeaturePolicy: camera, r=jib
https://hg.mozilla.org/integration/mozilla-inbound/rev/a3f04193768a
FeaturePolicy: microphone, r=jib
https://hg.mozilla.org/integration/mozilla-inbound/rev/e8121fadb5b8
FeaturePolicy: camera, microphone - WPTs, r=jib
|
||
Comment 13•6 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/7757f7200917
https://hg.mozilla.org/mozilla-central/rev/a3f04193768a
https://hg.mozilla.org/mozilla-central/rev/e8121fadb5b8
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
status-firefox64:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla64
|
||
Updated•6 years ago
|
Keywords: dev-doc-needed
|
||
Comment 14•6 years ago
|
||
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/camera
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/microphone
Keywords: dev-doc-needed → dev-doc-complete
You need to log in
before you can comment on or make changes to this bug.
Description
•