Closed Bug 665598 Opened 13 years ago Closed 11 years ago

Pref to disable Audio API

Categories

(Core :: Audio/Video, enhancement)

enhancement
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla22

People

(Reporter: al_9x, Assigned: cade)

References

(Blocks 1 open bug)

Details

Attachments

(1 file, 1 obsolete file)

User-Agent:       Mozilla/5.0 (Windows NT 5.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Build Identifier: 

DOM based audio and video as well as the DOMless audio API extension make possible unsolicited, surprising, unwelcome, annoying media playback from any website.  This is particularly problematic for audio, but video can be pretty annoying as well and also consume a lot more resources, particularly the cpu, all without user consent.

It also increases the attack surface area of the browser, as most serious exploits involve JS + some API.  Audio/video decoding/rendering is complex and no doubt has exploitable bugs.

If the user does not want to be annoyed by media or for security hardening purposes it should be possible to complete disable this whole subsystem.  Ideally it should be possible to white list sites or pages, but as a first step at least a single global pref should be created.


Reproducible: Always
Severity: normal → enhancement
OS: Windows XP → All
Hardware: x86 → All
Version: unspecified → Trunk
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
This is not a dupe.  This bug is specifically about the disabling of the html5 <audio> <video> tags/elements/objects.  Bug 24418 is about some vague generic solution to blocking all video/audio which will never be addressed.
Status: RESOLVED → UNCONFIRMED
Resolution: DUPLICATE → ---
Whatever, suit yourself. Ok, most bugs that are duped against it, are only interested in muting all sounds, but it's also the implementation of <http://www.w3.org/WAI/UA/WAI-USERAGENT/>. And that's what counts.
Summary: pref to completely disable video/audio → pref to completely disable html5 video/audio elements/objects
As a workaround, you could use NoScript with whitelisting of everything except audio/video tags turned off.
You can set the media.webm.enabled, media.ogg.enabled and media.wave.enabled prefs to false to render <video> and <audio> elements unable to play anything.
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago12 years ago
Resolution: --- → WORKSFORME
(In reply to Chris Pearce (:cpearce) from comment #5)
> You can set the media.webm.enabled, media.ogg.enabled and media.wave.enabled
> prefs to false to render <video> and <audio> elements unable to play
> anything.

I don't think these prefs apply to the audio API extension.
Status: RESOLVED → UNCONFIRMED
Resolution: WORKSFORME → ---
Assignee: nobody → chris
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
So to be clear, what we want here is a new pref to disable the AudioAPI, as we've already got prefs to disable ogg,wave, and webm in HTML5 audio/video.

So the idea is to not actually disable <audio>,<video> or the AudioAPI by default, but to provide the option to disable it so that people can choose to disable it, similar to how people have the option to use flashblock to disable Flash.
Summary: pref to completely disable html5 video/audio elements/objects → Pref to disable Audio API
So just to be certain here, we need a patch that disables writing Audio data via mozWriteAudio?
Yes. The pref should prevent JavaScript from being able to generate sound using the Audio API.
(In reply to Chris DeCairos (:cadecairos) from comment #8)
> So just to be certain here, we need a patch that disables writing Audio data
> via mozWriteAudio?

You probably just want to refuse to create the audio stream in mozSetup, see http://mxr.mozilla.org/mozilla-central/source/content/html/content/src/nsHTMLAudioElement.cpp#155
This patch will stop all writing of audio though JavaScript. I tested it using this link here: http://static.bocoup.com/core/code/firefox-audio/html-sings/audio-out-music-gen-f1lt3r.html

I'm concerned about if it's toggled on and off while audio is being written, but I can't say if that's a case we need to worry about ( The script will just throw JS errors because it can't write any more data.)
Attachment #609162 - Flags: review?(cpearce)
Attachment #609162 - Flags: review?(cpearce) → review+
Blocks: 24418
Why this was not checked in?
Attached patch patch v1Splinter Review
The original patch no longer applies.  In rebasing it, I've made some small changes:
- Isolate IsAudioAPIEnabled in nsHTMLAudioElement.cpp
- Rename the pref so that it's distinct from the Web Audio API.
- Return an error rather than NS_OK when the API is disabled.
Attachment #609162 - Attachment is obsolete: true
Attachment #713778 - Flags: review?(cpearce)
Comment on attachment 713778 [details] [diff] [review]
patch v1

Review of attachment 713778 [details] [diff] [review]:
-----------------------------------------------------------------

Sorry, this slipped of my radar!

::: content/html/content/src/nsHTMLAudioElement.cpp
@@ +22,5 @@
>  
> +namespace {
> +
> +bool
> +IsAudioAPIEnabled()

"We prefer using 'static' instead of anonymous C++ namespaces."

https://developer.mozilla.org/en-US/docs/Developer_Guide/Coding_Style#Anonymous_namespaces
Attachment #713778 - Flags: review?(cpearce) → review+
https://hg.mozilla.org/mozilla-central/rev/80d52655c8b8
Status: ASSIGNED → RESOLVED
Closed: 12 years ago11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla22
Apologies for letting that slip through the cracks.. thanks for cleaning it up and getting it landed!
hEY, THIS IS NOT FIXED. THEY ARE AUDIO FINGERPRINTING US BECAUSE THIS OPTION FROM 2013 WAS REMOVED
You need to log in before you can comment on or make changes to this bug.