Make navigator.mediaDevices SecureContext (removing it in http)
Categories
(Core :: WebRTC: Audio/Video, enhancement, P2)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox69 | --- | fixed |
People
(Reporter: jib, Assigned: jib)
References
(Blocks 1 open bug)
Details
(Keywords: dev-doc-complete, site-compat)
Attachments
(2 files, 1 obsolete file)
The spec now mandates that navigator.mediaDevices be [SecureContext], removing it, along with getUserMedia(), enumerateDevices() and ondevicechange access, from http.
This takes us beyond the Chrome parity of bug 1335740, and affects enumerateDevices() and ondevicechange as well.
This change might break web pages in a different way, causing a TypeError exception on pages that assume navigator.mediaDevices to exist.
Fortunately, navigator.mediaDevices is a fairly recent addition to the web platform, and it seems common to feature-detect it, as has also been advised, as follows:
if (!navigator.mediaDevices) {
/* Sorry your browser does not support getUserMedia */
}
So given this, it may be painless, but we should experiment in Nightly first.
Last we checked (our telemetry has expired) <1% of all getUserMedia() calls are HTTP.
But we anticipate the http number for enumerateDevices() to be higher, given Chrome status showing overall usage outpacing getUserMedia() by a magnitude, indicating fingerprinting abuse, with lots anecdotally coming from http. [2]
Breaking these are perhaps less concerning (even a feature), though there might be legitimate sites unaware of this being done through third party libraries, that could break.
[1] https://w3c.github.io/mediacapture-main/getusermedia.html#idl-def-navigator-partial-1
[2] https://www.chromestatus.com/metrics/feature/timeline/popularity/1119
|
Assignee | |
Comment 1•6 years ago
|
||
It turns out Chrome 74 has already made navigator.mediaDevices and navigator.getUserMedia [SecureContext] only, so we can accelerate this.
From use counters we added in bug 1528078, of a billion pageloads in 68 beta, we see 0.014% (146 thousand pageloads) use navigator.mediaDevices.getUserMedia, and 0.001% (7.7 thousand pageloads) do so insecurely. That amounts to 5% of calls being insecure.
This is still a bit high. However, with the total pageloads in the single-digit thousands, one explanation mentioned in bug 1335740 comment 6, may be that these numbers are influenced by tests.
Another explanation is trackers may be calling getUserMedia with known-to-fail constraints to leak fingerprinting information through OverconstrainedError. We're contemplating a second round of telemetry targeted at trackers and failing calls, but there's some indication already that this might be the case: 0.001% (16 thousand pageloads) are from background tabs.
Regardless, with bug 1335740, 68 beta is already riding the train with NotAllowedError for these users. So unless we want to pull that change from these results, the call has been made effectively.
The only change here in this issue then would be the way it fails: Instead of a NotAllowedError promise rejection, JS would throw an immediate TypeError: navigator.mediaDevices is undefined exception in http.
|
|
Assignee | |
Comment 2•6 years ago
|
||
|
|
Assignee | |
Comment 3•6 years ago
|
||
|
||
Updated•6 years ago
|
|
||
Comment 4•6 years ago
|
||
:jib we are under high load on Android devices and trying to bring down the queue.
Are all the builds in your try job necessary? Can we cancel/stop part of them?
|
|
Assignee | |
Comment 5•6 years ago
|
||
Hi sorry for not responding sooner. I'll attempt narrower try runs on android in the future.
|
|
Assignee | |
Comment 6•6 years ago
|
||
Depends on D33837
|
|
||
Updated•6 years ago
|
|
|
||
Updated•6 years ago
|
|
|
||
Updated•6 years ago
|
|
||
Comment 9•6 years ago
|
||
Backed out 2 changesets for causing crashtests to time out.
Backout link: https://hg.mozilla.org/integration/autoland/rev/e1bbd69eabd24aaa8a8dc73e91f2d2388820267f
Failure log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=253603985&repo=autoland&lineNumber=4083
[task 2019-06-27T00:02:02.750Z] 00:02:02 INFO - REFTEST TEST-START | http://10.0.2.2:8854/tests/dom/media/test/crashtests/1388372.html
[task 2019-06-27T00:02:02.750Z] 00:02:02 INFO - REFTEST INFO | SET PREFERENCE pref(media.navigator.permission.disabled,true)
[task 2019-06-27T00:02:02.751Z] 00:02:02 INFO - REFTEST INFO | SET PREFERENCE pref(media.getusermedia.insecure.enabled,true)
[task 2019-06-27T00:02:02.751Z] 00:02:02 INFO - REFTEST TEST-LOAD | http://10.0.2.2:8854/tests/dom/media/test/crashtests/1388372.html | 648 / 3767 (17%)
[task 2019-06-27T00:07:07.013Z] 00:07:07 INFO - REFTEST TEST-UNEXPECTED-FAIL | http://10.0.2.2:8854/tests/dom/media/test/crashtests/1388372.html | load failed: timed out waiting for reftest-wait to be removed
[task 2019-06-27T00:07:07.014Z] 00:07:07 INFO - REFTEST INFO | Saved log: START http://10.0.2.2:8854/tests/dom/media/test/crashtests/1388372.html
[task 2019-06-27T00:07:07.014Z] 00:07:07 INFO - REFTEST INFO | Saved log: [CONTENT] OnDocumentLoad triggering WaitForTestEnd
|
|
||
Comment 10•6 years ago
|
||
== Change summary for alert #21625 (as of Thu, 27 Jun 2019 06:30:16 GMT) ==
Improvements:
34% build times linux32-shippable opt nightly taskcluster-m5.4xlarge 6,293.01 -> 4,133.19
For up to date results, see: https://treeherder.mozilla.org/perf.html#/alerts?id=21625
|
||
Comment 11•6 years ago
|
||
|
||
Comment 12•6 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/6d317cd3124a
https://hg.mozilla.org/mozilla-central/rev/948869e38bce
|
||
Comment 13•6 years ago
|
||
|
|
Assignee | |
Updated•6 years ago
|
|
||
Comment 14•6 years ago
|
||
Documentation:
- Submitted BCD PR 4560:
navigator.mediaDevicesnow requires a secure context in Firefox 69
Added mention to Firefox 69 for developers.
Description
•