Intent to (deprecate and) remove usage of the WebSpeech API on insecure origins

[Guido Urdaneta]

Primary eng (and PM) emails

gui...@chromium.org

bl...@chromium.org

Summary

Remove access to the Speech Recognition API on insecure origins. This will prevent sites from requesting access to speech recognition over HTTP.

In practice, sites using the Speech Recognition API must already be on secure origins because the API requires access to the microphone, which is allowed only on secure origins.

Motivation

This continues the application of concepts from http://www.w3.org/TR/powerful-features/ to features which have already shipped. It follows the successful removal of getUserMedia() and other features from insecure origins.

Speech Recognition is a powerful feature as it, in principle, allows websites to transmit private information coming from the user microphone. Attackers may sniff or steal any information sent over an insecure connection.

Compatibility Risk

There is practically zero compatibility risk because the Speech Recognition API fails to work already due to the impossibility to enable the microphone permission in insecure origins.

What occurs in practice is that when speech recognition is used from HTTP, some parts of Chromium that assume a secure origin are used. This results in a misleading icon on the omnibar that never allows enabling the microphone permission, but which suggests that it might be allowed. The speech recognition functionality never gets to work in this case.

Officially removing access to this API in insecure origins would instead result in an exception with an informative message and would avoid the misleading UI. For more details, see http://crbug.com/755913.

Alternative implementation suggestion for web developers

Migrate your site to HTTPS to be able to use the Speech Recognition API.

Usage information from UseCounter

No usage information is available at this time. However, given that the feature already fails to work in practice on insecure origins, the impact on existing sites using HTTP would be limited regardless of how many they are.

OWP launch tracking bug

http://crbug.com/761371

Entry on the feature dashboard

https://www.chromestatus.com/feature/5639479519870976

Requesting approval to remove too?

Yes. Assuming the discussions are not controversial, we plan to implement the removal in M63 since the feature is already nonfunctional on insecure origins.

[Rick Byers]

Makes sense.

Will this use [SecureContext] to hide the API entirely from an insecure context?  Can you submit a PR against the spec to suggest changing the spec in that way?

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/856834a4-6a15-472c-bc31-f1b8f7d37be4%40chromium.org.

[Guido Urdaneta]

My plan was to implement it in a similar way to getUserMedia, which throws an exception and logs a message on insecure domains. Sample CL (needs rebase): https://chromium-review.googlesource.com/c/chromium/src/+/647850

[Guido Urdaneta]

Note also that it seems that the Web Speech API spec, available at https://dvcs.w3.org/hg/speech-api/raw-file/tip/webspeechapi.html, hasn't been updated since 2014 and does not seem to have a mechanism for filing issues.

+gshires,  who is a co-author of the spec and might have more information.

[Philip Jägenstedt]

It's not linked anywhere in the spec, but the bug tracker for this is https://www.w3.org/Bugs/Public/buglist.cgi?list_id=67762&product=Speech%20API

I know not everyone has an account there, so I filed https://www.w3.org/Bugs/Public/show_bug.cgi?id=30176.

The spec hasn't been updated in a long time, but there may be a new editor incoming. In the meantime, I think we can go ahead with this change without waiting for the spec change, given that it's already entirely broken.

This should be testable in web-platform-tests, and with a pending spec change what we've arrived at is tentative tests, named foo-bar.tentative.html, linking to the spec bug. (It'd be the first Web Speech API test in wpt, but there's nothing special involved in creating new directories.)

LGTM1 with such a test, which I'd be happy to review.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CA%2BBuZxZ_6gE0AH_-gxn%2BLLGa%2B6qR-45r%2BD93HYopE44LGV8jCQ%40mail.gmail.com.

[Rick Byers]

LGTM2

[Dimitri Glazkov]

LGTM3

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFUtAY9s2LB8s95%3D6KVF%3DocH1ZOkU4cgkjkuTKMoGjb_RyXibQ%40mail.gmail.com.