Closed Bug 1797020 Opened 2 years ago Closed 2 years ago

Deny MIDI access if there are no MIDI devices connected to mitigate MIDI fingerprinting

Tracking

()

Status:

RESOLVED FIXED

Milestone:

108 Branch

Tracking Flags:

Tracking

Status

firefox108

---

fixed

People

(Reporter: nchevobbe, Assigned: bholley)

References

Details

Attachments

(2 files)

Bug 1797020 - Add an API to determine if there are any midi devices. 2 years ago Bobby Holley (:bholley) 48 bytes, text/x-phabricator-request		Details \| Review
Bug 1797020 - Only display the consent flow if the user has at least one MIDI devices. 2 years ago Bobby Holley (:bholley) 48 bytes, text/x-phabricator-request		Details \| Review

Nicolas Chevobbe [:nchevobbe]

Reporter

Description

•

2 years ago

Depending on the data of the telemetry probe we plan to add in Bug 1797019, we might want to automatically reject requestMIDIAccess if there are no midi devices connected.

Nicolas Chevobbe [:nchevobbe]

Reporter

Updated

•

2 years ago

Blocks: 1790621

Bobby Holley (:bholley)

Assignee

Updated

•

2 years ago

Assignee: nobody → bholley

Bobby Holley (:bholley)

Assignee

Comment 1

•

2 years ago

Attached file Bug 1797020 - Add an API to determine if there are any midi devices. — Details

Bobby Holley (:bholley)

Assignee

Comment 2

•

2 years ago

Attached file Bug 1797020 - Only display the consent flow if the user has at least one MIDI devices. — Details

Bobby Holley (:bholley)

Assignee

Comment 3

•

2 years ago

https://treeherder.mozilla.org/jobs?repo=try&revision=b38bea05df501b9e21091f905047d5393bd4712b

Bobby Holley (:bholley)

Assignee

Comment 4

•

2 years ago

•

Edited

Initial telemetry indicates that, after blocklisting the builtin synth on Windows (bug 1798097), only about 3% of windows and mac Nightly users have MIDI devices connected. Most (~85%) Linux users have a (likely virtual) device [1].

As such, auto-denying MIDI access in the absence of devices should result in an order-of-magnitude reduction in the number of users who might experience nuisance prompts. The patches here randomize the auto-deny time to make it harder for sites to use timing attacks to infer the existence or non-existence of devices.

[1] Emilio did some local testing across Fedora, Ubuntu, and Arch and found that each of them exposes a device called "Midi Through". In contrast to the situation on Windows, Chrome exposes this device, so we should probably do the same for compat reasons.

Pulsebot

Comment 5

•

2 years ago

Pushed by bholley@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/31444500e5a2 Add an API to determine if there are any midi devices. r=gsvelto https://hg.mozilla.org/integration/autoland/rev/bfd3197ea9bb Only display the consent flow if the user has at least one MIDI devices. r=gsvelto

Sandor Molnar[:smolnar]

Comment 6

•

2 years ago

bugherder

https://hg.mozilla.org/mozilla-central/rev/31444500e5a2
https://hg.mozilla.org/mozilla-central/rev/bfd3197ea9bb

Status: NEW → RESOLVED

Closed: 2 years ago

status-firefox108: --- → fixed

Resolution: --- → FIXED

Target Milestone: --- → 108 Branch

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Deny MIDI access if there are no MIDI devices connected to mitigate MIDI fingerprinting

Categories

(Core :: DOM: Core & HTML, task)

Tracking

()

People

(Reporter: nchevobbe, Assigned: bholley)

References

Details

Crash Data

Security

(public)

User Story

Attachments

(2 files)

Description

Updated

Updated

Comment 1

Comment 2

Comment 3

Comment 4

Comment 5

Comment 6

Attachment

General

Description

File Name

Content Type