1798097 - Blocklist builtin Windows MIDI device

Status: RESOLVED FIXED

(Core :: DOM: Device Interfaces, defect)

Description

[Bobby Holley (:bholley)]

I recently discovered that Windows automatically provisions a software MIDI device called Microsoft GS Wavetable Synth. Chrome disables this device for WebMIDI, and so we should too for compatibility reasons.

Interestingly, the device was disabled in Chromium because it was found to be insufficiently hardened against adversarial input. This has been our hypothesis about many MIDI devices since the beginning, and validates our position that exposing MIDI devices to sites without user consent is quite dangerous.

The bug notes that Chrome's security calculus hinged more on a belief that MIDI devices are rare than that exposing them is actually safe. This is presumably why the issue was addressed by simply blocklisting this specific device rather than anything systematic.

Comment 1

[Bobby Holley (:bholley)]

Gabriele, can you whip up a quick patch to implement a similar blocklist for compat reasons?

Comment 2

[Gabriele Svelto [:gsvelto]]

Cooking up a patch

Comment 3

[Gabriele Svelto [:gsvelto]]

Attachment: Bug 1798097 - Hide the Microsoft MIDI soft synthesizer from the list of outputs surfaced by WebMIDI r=bholley

Comment 4

[Pulsebot]

Pushed by gsvelto@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/5141f72f104a
Hide the Microsoft MIDI soft synthesizer from the list of outputs surfaced by WebMIDI r=bholley

Comment 5

[Sandor Molnar[:smolnar]]

https://hg.mozilla.org/mozilla-central/rev/5141f72f104a