Open Bug 1694599 Opened 3 years ago Updated 11 days ago

privacy.resistFingerprinting crops the camera feed

Categories

(Core :: DOM: Security, defect, P3)

Product:
Core
Component:
DOM: Security
Version:
Firefox 86
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: tom, Unassigned, NeedInfo)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-backlog1])

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:86.0) Gecko/20100101 Firefox/86.0

Steps to reproduce:

  1. Enable privacy.resistFingerprinting
  2. Share a camera on a website

Actual results:

The camera is scaled and cropped to a low resolution 4:3 image.

Expected results:

The camera should remain as is.

I would assume that resistFingerprinting blocks access to information about the camera to stop fingerprinting of the various properties, frame size, resolution, etc.

This is a similar issue to: https://bugzilla.mozilla.org/show_bug.cgi?id=1623368 which I presume exists for the same reasoning.

However, that reason is flawed. Since I have to grant permission to a website to use the camera or microphone, I am giving it access to them and am happy to do so.

If I have given a site access to my camera/microphone I am happy for them to see information about them.

I would expect that:

  1. Sites which do not have camera/microphone permissions see default values (as always currently reported when resistFingerprinting is on)
  2. Sites which have camera/microphone permissions can see full details about them and fully utilize the hardware.

If I give a site access to my camera or microphone I am giving them permission to see that information.

The Bugbug bot thinks this bug should belong to the 'Core::DOM: Security' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.

Component: Untriaged → DOM: Security
Product: Firefox → Core

On the face; I agree - this sounds like a bug. Once the reason for it is determined I'll be certain =)

I don't know why this would happen, with RFP we do limit the devices returned to the site but I didn't think we did anything like this (intentionally.) Is this behavior you see on all sites? My camera seems to be high-res with RFP... https://ritter.vg/misc/ff/gum-helloworld.html is a simple loopback example you can use to test.

Blocks: fingerprinting-breakage
Flags: needinfo?(tom)

Here's my output with requestFingerPrinting on. This is after clicking "allow" and selecting the devices in the popup.

Enumerated 2 devices:
videoinput: label= groupId=lNLCAlTU+8pFM+tRp4LwqNWLPdrNMxgzGN/q16TjafE= id=CJTnvtjIB/GZZUj+lXPkwC2R6bzV4pun6vAbXIEaiqU=
audioinput: label= groupId=Gk6WOTUdEdNzMaq0nPExnwaY0LJ+NJEvK1YM8aRYNMQ= id=8VrOQLb/JHZXaBgna2zjAUHx3XSnEJfELtJB1xkP2ao=
Playing some stuff...
stream.currentTime: undefined id:{876270c8-3043-47dd-a21e-1dd7821c07e3}
Track kind:audio label:Internal Microphone id:{982e325d-1a0f-4168-9327-6790d7201609} settings={autoGainControl=true channelCount=2 deviceId=BY+hhFgdfK1v3SD0GhEY5PlLhvSFSNr1btoxMHPUh/M= echoCancellation=true groupId=q5wuE1cllT3HG76v9Dw3G8nEieG7N9+mkwbgwB9vpdQ= noiseSuppression=true } constraints={}
Track kind:video label:Internal Camera id:{098c6de0-b6ad-4451-b700-4467bc9a83ad} settings={deviceId=7+Z6huWtIjBtvkK+w1pbZa9JFZad2mZJDIKq+2vgLL0= frameRate=30 groupId=OVgd3mwgQgb3WvKhd7gci4grrlKoqksRBw8nAj/uSnI= height=480 width=640 } constraints={}
Enumerated 2 devices again:
videoinput: label=Default Video Device groupId=lNLCAlTU+8pFM+tRp4LwqNWLPdrNMxgzGN/q16TjafE= id=CJTnvtjIB/GZZUj+lXPkwC2R6bzV4pun6vAbXIEaiqU=
audioinput: label=Default Audio Device groupId=Gk6WOTUdEdNzMaq0nPExnwaY0LJ+NJEvK1YM8aRYNMQ= id=8VrOQLb/JHZXaBgna2zjAUHx3XSnEJfELtJB1xkP2ao=

And with it off:

Playing some stuff...
stream.currentTime: undefined id:{4d4c2b95-7f43-4d76-a386-23b999655217}
Track kind:audio label:Monitor of Family 17h (Models 00h-0fh) HD Audio Controller Digital Stereo (IEC958) id:{6177d21d-b4d6-489e-95fa-89da7ff38b20} settings={autoGainControl=true channelCount=2 deviceId=ZHM22X+UgJZnmvbCdP4yS0AhowCzFs/2P9mO9QXkICY= echoCancellation=true groupId=Nob06IqcSuY8qNUXG0Bi4F1Gc2TSaFd1a2sFDc18M3M= noiseSuppression=true } constraints={}
Track kind:video label:OBS Output id:{dd644ede-ba25-44b8-b646-6037048d4a8f} settings={deviceId=7+Z6huWtIjBtvkK+w1pbZa9JFZad2mZJDIKq+2vgLL0= frameRate=30 groupId=Gxz/jGaKL4KmxM/aVwMGEHaDoNJDhMg067MdXxTiuTk= height=480 width=640 } constraints={}
Enumerated 7 devices again:
videoinput: label=OBS Output" groupId=Gxz/jGaKL4KmxM/aVwMGEHaDoNJDhMg067MdXxTiuTk= id=7+Z6huWtIjBtvkK+w1pbZa9JFZad2mZJDIKq+2vgLL0=
videoinput: label=Webcam 60fps groupId=txvTGoTT3KEU2vzl8xFf+mmN0tvuCUSHLBALMZ3/vgo= id=hxpZzNKuGcifa3Mr35tJxc0aD7o4hURQPU0N1AxrIH0=
videoinput: label=BRIO 4K Stream Edition groupId=BisHHEQeKmMF5Io4Wbd+i8zLju7gmQs/f4Guw8I2RYI= id=HHLiLxNGisYjUkgV7GkBiKXNNzF+hwTdRkYjf6e3MlY=
videoinput: label=Game Capture HD60 S+: Game Capt groupId=Ebizx84hJLR44xXMT2QZ5EV0zsVa4nBKNs8grz685LE= id=GtvrzmCJM9wwO/JU9cR047eSd4LoBWoaWviI+MPQCV0=
audioinput: label=Yeti Nano Analog Stereo groupId=Z9HFmFfpQ8XpaWQr9XpTkGZBbYu+WopaDYnJLPAGmk4= id=O+ElGHJG5fcMSAns8Ibn08s7s6yAftgsWy6WMFBrOoU=
audioinput: label=Monitor of Family 17h (Models 00h-0fh) HD Audio Controller Digital Stereo (IEC958) groupId=Nob06IqcSuY8qNUXG0Bi4F1Gc2TSaFd1a2sFDc18M3M= id=ZHM22X+UgJZnmvbCdP4yS0AhowCzFs/2P9mO9QXkICY=
audioinput: label=Monitor of G933 Wireless Headset Dongle Digital Stereo (IEC958) groupId=FTHKbG5a7/AYSfejq2Oqqq4TAK8JoG6QK2ix0BFH8q0= id=BY+hhFgdfK1v3SD0GhEY5PlLhvSFSNr1btoxMHPUh/M=

With requestFingerPrinting turned off it can see my cameras (OBS Output, BRIO 4K) and my microphone (Yeti Nano Analog Stereo). With it on they appear as "Default video device" and "Default audio device".

I'm not sure why the resolution isn't being reported correctly, I'm streaming a 4k video from OBS but on that site it's showing as 640x480. On other websites it's fine (I use BlackBoard collaborate every day and it streams in 16:9 unless resistFingerprinting is on).

Flags: needinfo?(tom)

I could see us doing something to the resolution in RFP; but I don't recall anything specific I can think of. Nor can find out where in the code it may be coming from. I also see 640x480 for my camera which makes me think something in RFP is doing something; but I also know that the image being shown is higher resolution than that. I'm going to leave a ni for me to dig into this, but it won't be quickly I'm afraid.

Flags: needinfo?(tom)
Severity: -- → S3
Priority: -- → P3
Whiteboard: [domsecurity-backlog1]
You need to log in before you can comment on or make changes to this bug.