Bug 173104

Summary: getUserMedia should not be prompted again if user denied access
Product: WebKit Reporter: youenn fablet <youennf>
Component: MediaAssignee: youenn fablet <youennf>
Status: RESOLVED FIXED    
Severity: Normal CC: clopez, commit-queue, csaavedra, eric.carlson, ggaren, jonlee, mcatanzaro, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch
none
Patch for landing
none
Patch for landing none

Description youenn fablet 2017-06-08 09:51:02 PDT 
At least until reloading/navigating.
Comment 1 youenn fablet 2017-06-08 10:00:11 PDT 
Created attachment 312314 [details]
Patch
Comment 2 Geoffrey Garen 2017-06-08 10:58:02 PDT 
Comment on attachment 312314 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=312314&action=review

r=me with one change

> Source/WebKit2/UIProcess/UserMediaPermissionRequestManagerProxy.cpp:208
> +bool UserMediaPermissionRequestManagerProxy::isRequestDenied(uint64_t frameID, const WebCore::SecurityOrigin& userMediaDocumentOrigin, const WebCore::SecurityOrigin& topLevelDocumentOrigin, bool needsAudio, bool needsVideo)

I would call this "wasRequestDenied" because it's a record of something that happened in the past, and not necessarily a comment on what is or should be happening right now.

> Source/WebKit2/UIProcess/UserMediaPermissionRequestManagerProxy.cpp:216
> +        if (deniedRequest.frameID != frameID)
> +            continue;

This seems wrong to me. A page could re-prompt the user infinitely by inserting and removing iframes with getUserMedia calls. Once the user says no to a given domain, that should be the end of it.
Comment 3 youenn fablet 2017-06-08 10:59:19 PDT 
Created attachment 312322 [details]
Patch
Comment 4 youenn fablet 2017-06-08 11:01:59 PDT 
<rdar://problem/32381046>
Comment 5 youenn fablet 2017-06-08 11:13:17 PDT 
Thanks for the review.

> > Source/WebKit2/UIProcess/UserMediaPermissionRequestManagerProxy.cpp:216
> > +        if (deniedRequest.frameID != frameID)
> > +            continue;
> 
> This seems wrong to me. A page could re-prompt the user infinitely by
> inserting and removing iframes with getUserMedia calls. Once the user says
> no to a given domain, that should be the end of it.

This departs from the current model, which I think should be simplified.
We can add back the flexibility if we discover the need for it.

This would mean:
- Only care about the main frame for both predenied/pregranted requests
- Only care about the main frame security origin at UIProcess/Client level, frames with different origins are not allowed to do gum calls anyway.
- Reflect in client API that we are only searching for camera/mic access, not per device choice.
We should reflect all of that in our IPC and Client APIs.

I will update the patch with just the deny case now.
Comment 6 youenn fablet 2017-06-08 11:25:41 PDT 
Created attachment 312326 [details]
Patch for landing
Comment 7 youenn fablet 2017-06-08 12:17:22 PDT 
Created attachment 312333 [details]
Patch for landing
Comment 8 Geoffrey Garen 2017-06-08 13:04:09 PDT 
> This departs from the current model, which I think should be simplified.
>
> We can add back the flexibility if we discover the need for it.
> 
> This would mean:
> - Only care about the main frame for both predenied/pregranted requests
> - Only care about the main frame security origin at UIProcess/Client level,
> frames with different origins are not allowed to do gum calls anyway.

I'm not an expert on how WebRTC permissions usually work. I wonder what other browsers do.

Other web APIs like storage and geolocation grant or deny permission per domain, rather than per frame or per function call.

I can see some value in prompting more for WebRTC than for storage or geolocation, since we consider storage and geolocation to be optional APIs whose absence shouldn't break a site, whereas absence of WebRTC will probably break a WebRTC site.

My intuition is that one prompt per main document is probably the right policy to start with.
Comment 9 WebKit Commit Bot 2017-06-08 13:37:53 PDT 
Comment on attachment 312333 [details]
Patch for landing

Clearing flags on attachment: 312333

Committed r217945: <http://trac.webkit.org/changeset/217945>
Comment 10 WebKit Commit Bot 2017-06-08 13:37:55 PDT 
All reviewed patches have been landed.  Closing bug.
Comment 11 Carlos Alberto Lopez Perez 2017-06-08 15:49:20 PDT 
(In reply to WebKit Commit Bot from comment #9)
> Comment on attachment 312333 [details]
> Patch for landing
> 
> Clearing flags on attachment: 312333
> 
> Committed r217945: <http://trac.webkit.org/changeset/217945>

This broke the GTK+ build with GCC-4.9 : https://build.webkit.org/builders/GTK%20Linux%2064-bit%20Release%20Debian%20Stable%20%28Build%29/builds/2570/steps/compile-webkit/logs/stdio

I suspect its related to the same issue with GCC-4.9 that Yusuke fixed 2 days ago https://trac.webkit.org/changeset/217829/
Comment 12 youenn fablet 2017-06-08 16:15:19 PDT 
(In reply to Carlos Alberto Lopez Perez from comment #11)
> (In reply to WebKit Commit Bot from comment #9)
> > Comment on attachment 312333 [details]
> > Patch for landing
> > 
> > Clearing flags on attachment: 312333
> > 
> > Committed r217945: <http://trac.webkit.org/changeset/217945>
> 
> This broke the GTK+ build with GCC-4.9 :
> https://build.webkit.org/builders/GTK%20Linux%2064-
> bit%20Release%20Debian%20Stable%20%28Build%29/builds/2570/steps/compile-
> webkit/logs/stdio
> 
> I suspect its related to the same issue with GCC-4.9 that Yusuke fixed 2
> days ago https://trac.webkit.org/changeset/217829/

Ah, sorry about that. I won't be able to fix it until tomorrow...
Comment 13 youenn fablet 2017-06-08 16:17:05 PDT 
Looking at Yusuke patch, you might indeed be right. If nobody beats me, I'll try to fix it tomorrow
Comment 14 Carlos Alberto Lopez Perez 2017-06-08 17:27:29 PDT 
(In reply to youenn fablet from comment #13)
> Looking at Yusuke patch, you might indeed be right. If nobody beats me, I'll
> try to fix it tomorrow

(In reply to youenn fablet from comment #12)
> (In reply to Carlos Alberto Lopez Perez from comment #11)
> > (In reply to WebKit Commit Bot from comment #9)
> > > Comment on attachment 312333 [details]
> > > Patch for landing
> > > 
> > > Clearing flags on attachment: 312333
> > > 
> > > Committed r217945: <http://trac.webkit.org/changeset/217945>
> > 
> > This broke the GTK+ build with GCC-4.9 :
> > https://build.webkit.org/builders/GTK%20Linux%2064-
> > bit%20Release%20Debian%20Stable%20%28Build%29/builds/2570/steps/compile-
> > webkit/logs/stdio
> > 
> > I suspect its related to the same issue with GCC-4.9 that Yusuke fixed 2
> > days ago https://trac.webkit.org/changeset/217829/
> 
> Ah, sorry about that. I won't be able to fix it until tomorrow...

No problem: The GTK+ EWS and the GTK+ release and debug bots run a more recent GCC version (6.3).


We have this bot with GCC 4.9 because its our minimum version supported of the compiler, so we can test that WebKit remains build-able with that.

So, no hurries at all.
Comment 15 Claudio Saavedra 2017-06-09 03:00:11 PDT 
I think in this particular case the default initializers are redundant so it's safe to remove them. The struct is only initialized in one place with all members explicitly. I've committed https://trac.webkit.org/changeset/217974/webkit, please feel free to change if you disagree and prefer to have the default initializers and a constructor as well.
Comment 16 Michael Catanzaro 2017-06-09 07:08:23 PDT 
All struct or class members should always be initialized by default or by the constructor, we should not be playing games with possible use of uninitialized memory. The code instantiating the struct should not have to remember to initialize everything. We know this does not work in practice.