Intent to ship privacy improvements in enumerateDevices()

[Jan-Ivar Bruaroey]

In Firefox 119 or 120 we intend to flip a pref to limit camera and microphone information ahead of active access.

Summary: navigator.mediaDevices.enumerateDevices() is called by ~7% of the web, a magnitude larger than the expected legitimate use of ~0.2%, the rest are trackers (2, 3). The API allows websites unprompted access to information about a user's cameras and microphones, which is a fingerprinting surface.

Early versions of the spec revealed the number of devices to all sites, and for full access to device labels, it only required a site to have had camera or microphone permission persisted to it in the past, something two major browsers grant automatically after just a single use (post COVID-19, this is a LOT of users).

A review by the Privacy Interest Group (PING) in 2020 tightened the spec (1) to only reveal absence of camera or microphone to all sites, and to require active camera and microphone access (not just permission) for anything else.

Privacy being a core Mozilla principle, we intend to ship this update to the spec.

Bug: https://bugzil.la/1528042

Standard: 

1. https://www.w3.org/TR/mediacapture-streams/#idl-def-mediadevices-enumeratedevices
2. https://chromestatus.com/metrics/feature/timeline/popularity/1119
3. https://chromestatus.com/metrics/feature/timeline/popularity/1402

Platform Coverage: All platforms.

Preference: We intend to flip our pref media.devices.enumerate.legacy.enabled to false by default to limit device information.

Other Browsers:

• Webkit: has shipped this updated spec since ~14
  
• Blink: https://crbug.com/1101860

Web-platform-tests:

• https://wpt.fyi/results/mediacapture-streams/MediaDevices-enumerateDevices-persistent-permission.https.html
  • Note the linked test fails for infra reasons and lack of permission automation in gecko, but passes in Mozilla's own CI, and in local builds using mach wpt

Web compatibility

The new behavior should match Safari. But the pref is already available in Firefox release, so please flip it in about:config to test the difference in your video conferencing app today, so it won't break in the next version of Firefox! — Or if you're just curious, in this test page: https://jan-ivar.github.io/dummy/enumerate.html

This also fixes a device label leak that some video conferencing sites were misusing to detect permission in Firefox. Please see our Intent to ship "camera" & "microphone" in permissions.query() for a better solution to this.

[Tom Ritter]

Yay! Thank you for this work.

> --
> You received this message because you are subscribed to the Google Groups "dev-pl...@mozilla.org" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to dev-platform...@mozilla.org.
> To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/c3ffb784-d50c-4007-a096-10a02d0f0ab0n%40mozilla.org.