Bug 191112 - [MediaStream] Don't reveal device IDs until the user has granted permission to capture
Summary: [MediaStream] Don't reveal device IDs until the user has granted permission t...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebRTC (show other bugs)
Version: Other
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Eric Carlson
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2018-10-31 07:44 PDT by Eric Carlson
Modified: 2018-10-31 10:27 PDT (History)
3 users (show)

See Also:


Attachments
Patch (8.76 KB, patch)
2018-10-31 08:41 PDT, Eric Carlson
no flags Details | Formatted Diff | Diff
Patch for landing (8.71 KB, patch)
2018-10-31 10:00 PDT, Eric Carlson
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Eric Carlson 2018-10-31 07:44:01 PDT
WebKit currently regenerates device IDs when a page is refreshed, unless the user has granted permission to capture without a prompt. This was done to enhance user privacy because we observed that many sites that don't ever call getUserMedia call enumerateDevices for fingerprinting. This behavior is different from other browsers, which return somewhat stable device IDs, causes problems for existing scripts (e.g. see bug 179220), and makes device IDs essentially useless.

To improve the usefulness of device IDs to scripts, while not increasing the usefulness for fingerprinting, enumerateDevices should return stable device IDs once the user has granted permission to capture and return an empty string before that.
Comment 1 Radar WebKit Bug Importer 2018-10-31 08:02:25 PDT
<rdar://problem/45699932>
Comment 2 Eric Carlson 2018-10-31 08:41:33 PDT
This patch will make device IDs empty until permission to capture has been granted, another patch will make the IDs stable.
Comment 3 Eric Carlson 2018-10-31 08:41:50 PDT
Created attachment 353496 [details]
Patch
Comment 4 youenn fablet 2018-10-31 08:54:43 PDT
Comment on attachment 353496 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=353496&action=review

> LayoutTests/fast/mediastream/MediaStreamTrack-getCapabilities.html:90
> +                    .then(stream => mediaStream = stream);

mediaStream = await navigator.mediaDevices.getUserMedia({ audio:true, video:true });

> LayoutTests/fast/mediastream/get-user-media-device-id.html:18
> +                    assert_true(device.deviceId.length == 0 , "device.deviceId is empty before permission to capture");

Should we go with empty device ids or undefined device ids?
The spec seems to forbid empty device ids as they must be unique.
In terms of breakage, empty string device ids might be a bit better except if used for hashes.
Comment 5 Eric Carlson 2018-10-31 09:46:43 PDT
Comment on attachment 353496 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=353496&action=review

>> LayoutTests/fast/mediastream/get-user-media-device-id.html:18
>> +                    assert_true(device.deviceId.length == 0 , "device.deviceId is empty before permission to capture");
> 
> Should we go with empty device ids or undefined device ids?
> The spec seems to forbid empty device ids as they must be unique.
> In terms of breakage, empty string device ids might be a bit better except if used for hashes.

I think empty ids will cause fewer problems for scripts, so lets go with this for now at least.
Comment 6 Eric Carlson 2018-10-31 10:00:49 PDT
Created attachment 353501 [details]
Patch for landing
Comment 7 youenn fablet 2018-10-31 10:17:44 PDT
(In reply to Eric Carlson from comment #5)
> Comment on attachment 353496 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=353496&action=review
> 
> >> LayoutTests/fast/mediastream/get-user-media-device-id.html:18
> >> +                    assert_true(device.deviceId.length == 0 , "device.deviceId is empty before permission to capture");
> > 
> > Should we go with empty device ids or undefined device ids?
> > The spec seems to forbid empty device ids as they must be unique.
> > In terms of breakage, empty string device ids might be a bit better except if used for hashes.
> 
> I think empty ids will cause fewer problems for scripts, so lets go with
> this for now at least.

I filed a corresponding issue there: https://github.com/w3c/mediacapture-main/issues/551
Comment 8 WebKit Commit Bot 2018-10-31 10:26:58 PDT
Comment on attachment 353501 [details]
Patch for landing

Clearing flags on attachment: 353501

Committed r237643: <https://trac.webkit.org/changeset/237643>
Comment 9 WebKit Commit Bot 2018-10-31 10:27:00 PDT
All reviewed patches have been landed.  Closing bug.