Intent to deprecate: insecure getUserMedia & enumerateDevices requests

Tue, 26 Feb 2019 19:06:04 -0800

TL;DR: the getUserMedia API will reject with NotAllowedError in insecure contexts in Firefox 67 (due mid-May), and we'll experiment with navigator.mediaDevices being [SecureContext] in Nightly going forward.
Hi! We're moving to restrict the getUserMedia and enumerateDevices APIs, in two stages. 

This is tracked in https://bugzil.la/1335740 which adds two prefs:

  media.devices.insecure.enabled (defaults to true for now)
  media.getusermedia.insecure.enabled (false in 67)


Both need to be true for legacy behavior to work. We plan to roll out as 
follows:


Stage 1: getUserMedia NotAllowedError


The getUserMedia API will reject with NotAllowedError in insecure 
contexts in Firefox 67 (due mid-May). A number of reasons:


 • Parity with Chrome and Safari behavior for a couple of years now.
 • It's now both easy and free to get a valid SSL certificate. [1]
 • Last telemetry (it's expired) had insecure usage <3% of gUM. [2]
 • We anticipate low friction, due to behavior of Chrome and Safari.

Stage 2: remove navigator.mediaDevices in insecure contexts.


We'll experiment with navigator.mediaDevices being [SecureContext] in 
Nightly-only for now. Train ride TBA. This will impact:


    navigator.mediaDevices.getUserMedia()
    navigator.mediaDevices.enumerateDevices()
    navigator.mediaDevices.addEventListener("devicechange", ...)
    navigator.mozGetUserMedia()

These will all cause TypeError in insecure contexts/http, because

    navigator.mediaDevices === undefined
    navigator.mozGetUserMedia === undefined


Since these APIs are still relatively new, most sites should be 
feature-detecting them already using e.g. if (navigator.mediaDevices) { 
... }.


Reasons to do this:

 • Match the spec.
 • enumerateDevices() isn't needed in insecure contexts.
 • enumerateDevices() usage dwarfs gUM() 👉 fingerprinting abuse [3]
 • Chrome is targeting M74 for this [4]

[1] https://letsencrypt.org
[2] See https://bugzilla.mozilla.org/show_bug.cgi?id=1335740#c6
[3] https://lists.w3.org/Archives/Public/public-webrtc/2019Feb/0020.html
[4] https://bugs.chromium.org/p/chromium/issues/detail?id=934984
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform














    











					Reply via email to