Closed Bug 1528031 Opened 5 years ago Closed 4 years ago

Make navigator.mediaDevices SecureContext (removing it in http)

Categories

(Core :: WebRTC: Audio/Video, enhancement, P2)

Product:
Core
Component:
WebRTC: Audio/Video
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla69
Tracking Flags:
Tracking Status
firefox69 --- fixed

People

(Reporter: jib, Assigned: jib)

References

(Blocks 1 open bug)

Details

(Keywords: dev-doc-complete, site-compat)

Attachments

(2 files, 1 obsolete file)

Bug 1528031 - Require [SecureContext] for navigator.mediaDevices & navigator.mozGetUserMedia().
47 bytes, text/x-phabricator-request
Details | Review
Bug 1528031 - Update tests to work with [SecureContext] navigator.mediaDevices.
47 bytes, text/x-phabricator-request
Details | Review

The spec now mandates that navigator.mediaDevices be [SecureContext], removing it, along with getUserMedia(), enumerateDevices() and ondevicechange access, from http.

This takes us beyond the Chrome parity of bug 1335740, and affects enumerateDevices() and ondevicechange as well.

This change might break web pages in a different way, causing a TypeError exception on pages that assume navigator.mediaDevices to exist.

Fortunately, navigator.mediaDevices is a fairly recent addition to the web platform, and it seems common to feature-detect it, as has also been advised, as follows:

if (!navigator.mediaDevices) {
  /* Sorry your browser does not support getUserMedia */
}

So given this, it may be painless, but we should experiment in Nightly first.

Last we checked (our telemetry has expired) <1% of all getUserMedia() calls are HTTP.

But we anticipate the http number for enumerateDevices() to be higher, given Chrome status showing overall usage outpacing getUserMedia() by a magnitude, indicating fingerprinting abuse, with lots anecdotally coming from http. [2]

Breaking these are perhaps less concerning (even a feature), though there might be legitimate sites unaware of this being done through third party libraries, that could break.

[1] https://w3c.github.io/mediacapture-main/getusermedia.html#idl-def-navigator-partial-1
[2] https://www.chromestatus.com/metrics/feature/timeline/popularity/1119

It turns out Chrome 74 has already made navigator.mediaDevices and navigator.getUserMedia [SecureContext] only, so we can accelerate this.

From use counters we added in bug 1528078, of a billion pageloads in 68 beta, we see 0.014% (146 thousand pageloads) use navigator.mediaDevices.getUserMedia, and 0.001% (7.7 thousand pageloads) do so insecurely. That amounts to 5% of calls being insecure.

This is still a bit high. However, with the total pageloads in the single-digit thousands, one explanation mentioned in bug 1335740 comment 6, may be that these numbers are influenced by tests.

Another explanation is trackers may be calling getUserMedia with known-to-fail constraints to leak fingerprinting information through OverconstrainedError. We're contemplating a second round of telemetry targeted at trackers and failing calls, but there's some indication already that this might be the case: 0.001% (16 thousand pageloads) are from background tabs.

Regardless, with bug 1335740, 68 beta is already riding the train with NotAllowedError for these users. So unless we want to pull that change from these results, the call has been made effectively.

The only change here in this issue then would be the way it fails: Instead of a NotAllowedError promise rejection, JS would throw an immediate TypeError: navigator.mediaDevices is undefined exception in http.

Attachment #9070053 - Attachment description: Bug 1528031 - Require [SecureContext] for navigator.mediaDevices & navigator.moszGetUserMedia(). → Bug 1528031 - Require [SecureContext] for navigator.mediaDevices & navigator.mozGetUserMedia().

:jib we are under high load on Android devices and trying to bring down the queue.
Are all the builds in your try job necessary? Can we cancel/stop part of them?

https://treeherder.mozilla.org/#/jobs?repo=try&resultStatus=success%2Cpending%2Crunning%2Ctestfailed%2Cbusted%2Cexception&group_state=expanded&revision=1078f8917fb6c8caf20122d9ca782f64c72a9969&searchStr=android

Flags: needinfo?(jib)

Hi sorry for not responding sooner. I'll attempt narrower try runs on android in the future.

Flags: needinfo?(jib)
Attachment #9070054 - Attachment is obsolete: true
Attachment #9070054 - Attachment is obsolete: false
Attachment #9070054 - Attachment is obsolete: true
Pushed by jbruaroey@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/0a18aa212ee6
Require [SecureContext] for navigator.mediaDevices & navigator.mozGetUserMedia(). r=pehrsons,smaug
https://hg.mozilla.org/integration/autoland/rev/27ce9b212d26
Update tests to work with [SecureContext] navigator.mediaDevices. r=pehrsons,smaug
Backout by malexandru@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/e1bbd69eabd2
Backed out 2 changesets for causing crashtests to time out. CLOSED TREE

Backed out 2 changesets for causing crashtests to time out.

Backout link: https://hg.mozilla.org/integration/autoland/rev/e1bbd69eabd24aaa8a8dc73e91f2d2388820267f

Push with failures: https://treeherder.mozilla.org/#/jobs?repo=autoland&resultStatus=testfailed%2Cbusted%2Cexception&searchStr=android%2C7.0%2Cx86-64%2Copt%2Creftests%2Ctest-android-em-7.0-x86_64%2Fopt-crashtest-e10s%2Cr%28c%29&revision=27ce9b212d26c5185f9e856f7ba3b6247a3e2161&selectedJob=253603985

Failure log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=253603985&repo=autoland&lineNumber=4083

[task 2019-06-27T00:02:02.750Z] 00:02:02 INFO - REFTEST TEST-START | http://10.0.2.2:8854/tests/dom/media/test/crashtests/1388372.html
[task 2019-06-27T00:02:02.750Z] 00:02:02 INFO - REFTEST INFO | SET PREFERENCE pref(media.navigator.permission.disabled,true)
[task 2019-06-27T00:02:02.751Z] 00:02:02 INFO - REFTEST INFO | SET PREFERENCE pref(media.getusermedia.insecure.enabled,true)
[task 2019-06-27T00:02:02.751Z] 00:02:02 INFO - REFTEST TEST-LOAD | http://10.0.2.2:8854/tests/dom/media/test/crashtests/1388372.html | 648 / 3767 (17%)
[task 2019-06-27T00:07:07.013Z] 00:07:07 INFO - REFTEST TEST-UNEXPECTED-FAIL | http://10.0.2.2:8854/tests/dom/media/test/crashtests/1388372.html | load failed: timed out waiting for reftest-wait to be removed
[task 2019-06-27T00:07:07.014Z] 00:07:07 INFO - REFTEST INFO | Saved log: START http://10.0.2.2:8854/tests/dom/media/test/crashtests/1388372.html
[task 2019-06-27T00:07:07.014Z] 00:07:07 INFO - REFTEST INFO | Saved log: [CONTENT] OnDocumentLoad triggering WaitForTestEnd

Flags: needinfo?(jib)

== Change summary for alert #21625 (as of Thu, 27 Jun 2019 06:30:16 GMT) ==

Improvements:

34% build times linux32-shippable opt nightly taskcluster-m5.4xlarge 6,293.01 -> 4,133.19

For up to date results, see: https://treeherder.mozilla.org/perf.html#/alerts?id=21625

Pushed by jbruaroey@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/6d317cd3124a
Require [SecureContext] for navigator.mediaDevices & navigator.mozGetUserMedia(). r=pehrsons,smaug
https://hg.mozilla.org/integration/autoland/rev/948869e38bce
Update tests to work with [SecureContext] navigator.mediaDevices. r=pehrsons,smaug

https://hg.mozilla.org/mozilla-central/rev/6d317cd3124a
https://hg.mozilla.org/mozilla-central/rev/948869e38bce

Status: NEW → RESOLVED
Closed: 4 years ago
status-firefox69: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla69
Flags: needinfo?(jib)

Documentation:

  • Submitted BCD PR 4560: navigator.mediaDevices now requires a secure context in Firefox 69

Added mention to Firefox 69 for developers.

Keywords: dev-doc-neededdev-doc-complete
You need to log in before you can comment on or make changes to this bug.