info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Intent to deprecate: insecure getUserMedia & enumerateDevices requests
469 views
Skip to first unread message
Jan-Ivar Bruaroey
Feb 26, 2019, 10:01:41 PM2/26/19
to
TL;DR: the getUserMedia API will reject with NotAllowedError in insecure
contexts in Firefox 67 (due mid-May), and we'll experiment with
navigator.mediaDevices being [SecureContext] in Nightly going forward.
Hi! We're moving to restrict the getUserMedia and enumerateDevices APIs,
in two stages.
This is tracked in https://bugzil.la/1335740 which adds two prefs:
media.devices.insecure.enabled (defaults to true for now)
media.getusermedia.insecure.enabled (false in 67)
Both need to be true for legacy behavior to work. We plan to roll out as
follows:
Stage 1: getUserMedia NotAllowedError
The getUserMedia API will reject with NotAllowedError in insecure
contexts in Firefox 67 (due mid-May). A number of reasons:
• Parity with Chrome and Safari behavior for a couple of years now.
• It's now both easy and free to get a valid SSL certificate. [1]
• Last telemetry (it's expired) had insecure usage <3% of gUM. [2]
• We anticipate low friction, due to behavior of Chrome and Safari.
Stage 2: remove navigator.mediaDevices in insecure contexts.
We'll experiment with navigator.mediaDevices being [SecureContext] in
Nightly-only for now. Train ride TBA. This will impact:
navigator.mediaDevices.getUserMedia()
navigator.mediaDevices.enumerateDevices()
navigator.mediaDevices.addEventListener("devicechange", ...)
navigator.mozGetUserMedia()
These will all cause TypeError in insecure contexts/http, because
navigator.mediaDevices === undefined
navigator.mozGetUserMedia === undefined
Since these APIs are still relatively new, most sites should be
feature-detecting them already using e.g. if (navigator.mediaDevices) {
... }.
Reasons to do this:
• Match the spec.
• enumerateDevices() isn't needed in insecure contexts.
• enumerateDevices() usage dwarfs gUM() 👉 fingerprinting abuse [3]
• Chrome is targeting M74 for this [4]
[1] https://letsencrypt.org
[2] See https://bugzilla.mozilla.org/show_bug.cgi?id=1335740#c6
[3] https://lists.w3.org/Archives/Public/public-webrtc/2019Feb/0020.html
[4] https://bugs.chromium.org/p/chromium/issues/detail?id=934984
contexts in Firefox 67 (due mid-May), and we'll experiment with
navigator.mediaDevices being [SecureContext] in Nightly going forward.
Hi! We're moving to restrict the getUserMedia and enumerateDevices APIs,
in two stages.
This is tracked in https://bugzil.la/1335740 which adds two prefs:
media.devices.insecure.enabled (defaults to true for now)
media.getusermedia.insecure.enabled (false in 67)
Both need to be true for legacy behavior to work. We plan to roll out as
follows:
Stage 1: getUserMedia NotAllowedError
The getUserMedia API will reject with NotAllowedError in insecure
contexts in Firefox 67 (due mid-May). A number of reasons:
• Parity with Chrome and Safari behavior for a couple of years now.
• It's now both easy and free to get a valid SSL certificate. [1]
• Last telemetry (it's expired) had insecure usage <3% of gUM. [2]
• We anticipate low friction, due to behavior of Chrome and Safari.
Stage 2: remove navigator.mediaDevices in insecure contexts.
We'll experiment with navigator.mediaDevices being [SecureContext] in
Nightly-only for now. Train ride TBA. This will impact:
navigator.mediaDevices.getUserMedia()
navigator.mediaDevices.enumerateDevices()
navigator.mediaDevices.addEventListener("devicechange", ...)
navigator.mozGetUserMedia()
These will all cause TypeError in insecure contexts/http, because
navigator.mediaDevices === undefined
navigator.mozGetUserMedia === undefined
Since these APIs are still relatively new, most sites should be
feature-detecting them already using e.g. if (navigator.mediaDevices) {
... }.
Reasons to do this:
• Match the spec.
• enumerateDevices() isn't needed in insecure contexts.
• enumerateDevices() usage dwarfs gUM() 👉 fingerprinting abuse [3]
• Chrome is targeting M74 for this [4]
[1] https://letsencrypt.org
[2] See https://bugzilla.mozilla.org/show_bug.cgi?id=1335740#c6
[3] https://lists.w3.org/Archives/Public/public-webrtc/2019Feb/0020.html
[4] https://bugs.chromium.org/p/chromium/issues/detail?id=934984
0 new messages