Firefox for Android requests permission to access "Music and Audio on this device" when the user taps a `input type="file"` button with image file-types
Categories
(Firefox for Android :: Media, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox145 | --- | unaffected |
| firefox146 | --- | wontfix |
| firefox147 | --- | wontfix |
| firefox148 | --- | fix-optional |
People
(Reporter: dholbert, Unassigned)
References
(Regression)
Details
(Keywords: regression, Whiteboard: [fxdroid][group4])
Attachments
(2 files)
screenshot of the permission prompt
Steps to reproduce
- Either be using a fresh installation of Firefox-for-Android, OR, reset Android's memory about what permissions you've granted in the past, to emulate a fresh installation. (To do that: long-press the Firefox Nightly app-icon, choose the "info"
iicon, tap 'permissions'; and then for "Microphone" and "Music and audio", tap "allow" and then "don't allow". Do this even if you already had it set to "Don't allow". This back-and-forth is sufficient to get Android to prompt you the next time Firefox needs these permissions.) - Visit https://bug1992270.bmoattachments.org/attachment.cgi?id=9517903 (or probably any of the testcases in bug 1992270)
- Tap the button in the testcase.
Expected behavior
Maybe a prompt to access camera and/or microphone (for reasons described in bug 1975933 comment 30), but no prompts beyond that.
Actual behavior
I get an extra prompts beyond camera/microphone permissions -- that prompt says:
Allow Firefox Nightly to access music and audio on this device?
Device information
- Firefox version: 147.0a1 2025-11-25
- Android device model: Pixel 10 Pro XL
- Android OS version: 16
Any additional information?
- If I perform the same STR in Chrome, it shows the first prompt (to record audio) but does not show any prompt about music-and-audio-on-this-device. And checking Chrome's permissions, I see that it doesn't have (and hasn't asked for) the permission to access music and audio on this device.
- Nonetheless: if I choose the "Photos & videos" button (rather than the camera) in the file-picker flow, Chrome does show me and does allow me to select music and audio files (e.g. m4a and mp3 files)
- Similarly, Firefox shows me those files and allows me to select them, regardless of whether I accepted or denied the music-and-audio permission.
- So Android's permissions around music-and-audio are a bit weird (letting Firefox-and-Chrome access some music and audio files, even despite permission being rejected or never-requested); but in any case, it seems like we're not getting any benefit/additional-access-to-files by showing this dialog, and Chrome manages to not-show-it, so probably we could/should avoid showing it too?
|
||
Comment 1•18 days ago
|
||
Set release status flags based on info from the regressing bug 1975933
:saschanaz, since you are the author of the regressor, bug 1975933, could you take a look? Also, could you set the severity field?
For more information, please visit BugBot documentation.
|
||
Comment 2•17 days ago
|
||
I have never seen such behavior on Galaxy S22 Ultra nor on the emulator. What environment are you testing on? 🤔
If I disable the audio permission and retry, I only get the record permission prompt and not the second one.
|
Reporter | |
Comment 3•17 days ago
•
|
||
(In reply to Kagami Rosylight [:saschanaz] (they/them) from comment #2)
I have never seen such behavior on Galaxy S22 Ultra nor on the emulator. What environment are you testing on? 🤔
Google Pixel 10 Pro XL, and Google Pixel 6a (both are affected). It might be dependent on your Android OS level -- I've got Android 16 on both devices that I've tested. What Android versions are you testing on the Galaxy & emulator?
(also, I forgot to mention: strictly speaking there's one additional permission-prompt, for "Camera" permissions, that may show up if you've cleared or never-granted that permission. I edited comment 0 to make that clearer. That prompt is unsurprising, of course, and it happens in Chrome as well; it's only this Music-and-Audio permission-request that's Firefox-specific and seems unnecessary.)
|
|
Reporter | |
Comment 4•17 days ago
|
||
|
|
Reporter | |
Comment 5•17 days ago
|
||
|
||
Comment 6•17 days ago
|
||
:saschanaz, adding a needinfo for Comment 3.
:titouan, could this be triaged for severity? We are at the end of the beta cycle.
Next week is RC week, so we will rollout to production at 5% though we would need to know the severity here.
|
|
||
Comment 7•17 days ago
•
|
||
Ok, I reproduced it and here is my reading of the code:
- I believe the behavior is from the use of READ_MEDIA_AUDIO for audio permission, which we use for Android 13+ (Tiramisu). This behavior is added by bug 1802579 in 2022 originally with images and videos too, but in 2024 we removed it in bug 1900803 because of Google Play policy change - they decided those permissions can be harmful for privacy.
- The Android docs say the permission can "access media files that others apps create", and "Required only if your app needs to access audio files that other apps created".
It's unclear to me that we ever need this permission, and I wonder this permission is harmful too, even though the policy change didn't cover the audio one.
Chrome does keep those permissions though:
<!-- Needed for handling media-viewing Intents from other apps for images and video on low end
or managed devices (eg. crbug.com/40546519), monitoring of screenshots if permission has
been previously granted (doesn't request independently) (crbug.com/40520892), and
Chromium's custom photo picker used on Android S and below (crbug.com/40489056) -->
and uses it to handle file URL permission.
Perhaps the simplest fix is to just remove the permission, because I don't think Firefox does the same?
Mihai, since you introduced the permission, do you have any further idea how to proceed?
|
||
Comment 8•17 days ago
|
||
I theory I think we could remove the permission and requesting for it, since we select the file through the system picker.
But it should be tested, because the documentation for these permission is not really reliable and it might also depend on different manufacturer implementations.
|
||
Comment 9•12 days ago
|
||
Thanks for the heads up Donal.
:Kagami, are you working on this one?
|
|
||
Updated•12 days ago
|
|
|
||
Comment 10•12 days ago
|
||
It would be very much appreciated if someone with more Android testing devices or at least more experience with Android can take this over. Initially I was requested to take a look because it was supposed to be a web platform side issue - until it turned out not to be.
But if nobody is available I can take it, although I will not be able to test much.
|
|
||
Updated•12 days ago
|
|
||
Updated•12 days ago
|
|
|
||
Updated•12 days ago
|
|
||
Updated•10 days ago
|
|
|
||
Comment 11•9 days ago
|
||
(methinks maybe we can remove it and then let QA confirm it?)
|
|
||
Comment 12•5 days ago
|
||
Set release status flags based on info from the regressing bug 1975933
|
||
Updated•5 days ago
|
Description
•