Move enumerateDevices behind permission

[pes10k]

Currently websites can enumerate hardware capabilities with enumerateDevices(). Querying device capabilities is the kind of pseudo-identifier that allow users to be passively identified / fingerprinted. To prevent this, websites should, to the greatest degree possible, need user permission to query device capabilities. Websites should therefor need permission to access enumerateDevices().

Related: the Moz efforts discussed at the bottom of this comment : #607 (comment)

[vr000m]

@pallab-gain @karthikbr82 Please take a look

[youennf]

enumerateDevices has a "device-info" permission (https://w3c.github.io/permissions/#dom-permissionname-device-info). This permission is granted when getUserMedia is granted. This permission controls exposure of device labels currently, not exposure of devices.

Safari goes a bit further by obfuscating most information about devices if 'device-info' is not granted: it obfuscates most devices. This is probably somehow similar to what Mozilla is experimenting and @guido is mentioning (empty device IDs).

Another approach would be to prompt in case enumerateDevices is called and "device-info" permission is not granted. This seems harder to deploy given how enumerateDevices is used currently. The prompt user message might be also more difficult to understand than the getUserMedia message.

The additional use case to consider is for a webpage to monitor whether there is any camera/microphone at all, and update its UI accordingly.
A website can get this information through getUserMedia which seems more appropriate than enumerateDevices from a privacy perspective. ondevicechange is currently also available for that purpose.

[youennf]

One possibility discussed on the mailing list is:

• Remove "device-info"permission
• Allow unfiltered enumerateDevices results (and devicechange events) ONLY if getUserMedia was previously called successfully for the document.
  This would essentially put enumerateDevices behind the getUserMedia permission prompt.

[youennf]

Adding some more filtering in #632

[youennf]

Uploaded #641 to remove "device-info" permission.
Another possibility would be to keep "device-info" permission but also add this boolean so that a given browsing context can only get device info after at least one getUserMedia successful call.

[youennf]

Now that #641 is merged, enumerateDevices is effectively behind a camera/microphone permission.
I filed #645 and #646 to further tighten the model.

@snyderp, can we close this issue?

[pes10k]

@youennf i'm trying to follow the implications of this. Does this mean that the site can enumerate all devices after the user gives access to any device? If so, that would seem to conflict hard with the reduce-label-exposure topics we're discussing elsewhere. (and if not, can you say a bit more about the flow here? I might just be being dense…)

[youennf]

Does this mean that the site can enumerate all devices after the user gives access to any device?

By default, a site page will not be able to enumerate any device even if the site has persistent access to the camera/microphone.
A page has to request capture and be granted access to one device. At that point, the page will potentially get access to all camera and microphone information.
This makes enumerateDevices leaking information after getUserMedia leaked information, thus making enumerateDevices behind the getUserMedia permission as requested by this issue.

The fact that all devices are leaked after one getUserMedia call should be/is already treated as a separate issue.

[youennf]

The fact that all devices are leaked after one getUserMedia call should be/is already treated as a separate issue.

Tracked at #640.

[youennf]

Closing this issue. @snyderp, please reopen if you think that would be useful.