getUserMedia can be used to detect capabilities without permissions

[guidou]

The current getUserMedia() spec indicates that prompting for permission (step 5.2) goes after constraints processing (step 3.4).
A consequence of this is that it is possible to determine if the system is capable of, for example full HD capture (or any other capability), by making the appropriate gUM calls and looking at the resulting error.
In these cases, Chromium and Safari return OverconstrainedError and Firefox returns NotFoundError.

Possible ways to address this:

1. Always return NotAllowedError if constraints processing fails, but no permission to use devices has yet been granted.
2. Prompt before constraints processing.

Should we update the spec to address this?

[alvestrand]

Step 6.3.4 of the getUserMedia algorithm is already marked with a fingerprint marker; this has been discussed before, and the decision at the time was to warn the implementors, not change the processing.

The uncomfortable interaction if you swap the two is to get a permissions prompt, grant permission, and then get a "ha ha, you can't do this anyway" error message because you have no device that can satisfy the constraint.

My suggestion: This can be revisited in @jan-ivar's proposed extension spec for a getUserMedia variant that mandates an in-chrome picker. In the meantime, I wouldn't want to change present behavior.

[youennf]

In addition to what Harald said, the fingerprinting script would take the risk to show a prompt to the user, which is probably too risky for the script. To ensure this is annoying enough for such scripts, we make sure that:

• The processing of getUserMedia can only happen in a visible page (so that the prompt can be shown), step 6.1. Processing is delayed for hidden pages until they are visible.
• The error message should not provide any info on which constraint was not met if device info cannot be exposed. It seems we did this in step 6.6 but forgot to do it in step 6.4. We should probably fix this.

AFAIUI, OverconstrainedError is what should be returned according the spec.
Is it a Firefox bug?

[youennf]

Another possibility is to progressively move out of mandatory constraints but treat them as ideal, except for some specific constraints like deviceId.

[jan-ivar]

Firefox returns NotFoundError.

@guidou please provide repro steps. Firefox returns OverconstrainedError for me.

If you're on mac, make sure you've granted OS camera permission to Firefox. That might explain the NotFoundError.

[jan-ivar]

We've discussed this in the past, and we decided trackers would not risk a prompt.

In the spec, we neutered the error.contraint property ahead of permission to mitigate the attack where multiple failing constraints are used: "Run the ApplyConstraints algorithm on all tracks in stream with the appropriate constraints. Should this fail, let failedConstraint be the result of the algorithm that failed if device information can be exposed is true, or undefined otherwise"

[guidou]

You're right @jan-ivar . That was the reason. After giving system permission on Mac I get OverconstrainedError.

[youennf]

As discussed in w3c/mediacapture-image#229 (comment), it might be good to restrict the potential constraints that can be used as required in getUserMedia.
This would be specific to getUserMedia and would not apply to applyConstraints.

[youennf]

Initial PR at #707.
Ideally we would reduce the number of allowed mandatory constraints.

[alvestrand]

I don't see a sufficiently clear case that the (admittedly minor) privacy leak is important enough that we should remove or limit the ability to not get devices you can't use for your purposes. We need a WG consensus to set a direction here.

[alvestrand]

Closed as a result of merging #707.