RE: Plumb info-leak by nixing ConstraintNotSatisfiedError (Re: The mandatory constraint is a footgun) from Jim Barnett on 2013-11-13 (public-media-capture@w3.org from November 2013)

From: Jim Barnett <Jim.Barnett@genesyslab.com>
Date: Wed, 13 Nov 2013 20:14:30 +0000
To: Jan-Ivar Bruaroey <jib@mozilla.com>, Stefan Håkansson LK <stefan.lk.hakansson@ericsson.com>, "public-media-capture@w3.org" <public-media-capture@w3.org>
Message-ID: <57A15FAF9E58F841B2B1651FFE16D2811ECAE7@GENSJZMBX03.msg.int.genesyslab.com>

Thanks for the clarification.  I see what you mean about leaking information in ConstraintNotSatisfiedError.   B looks  good to me (and it's the same thing as A in the case where the user doesn't grant permission, right?).

-          Jim

From: Jan-Ivar Bruaroey [mailto:jib@mozilla.com]
Sent: Wednesday, November 13, 2013 1:47 PM
To: Jim Barnett; Stefan Håkansson LK; public-media-capture@w3.org
Subject: Plumb info-leak by nixing ConstraintNotSatisfiedError (Re: The mandatory constraint is a footgun)

You're right, let me break this part out.

This sub-issue is not about the footgun, but about the information leak we get from the ConstraintNotSatisfiedError error in the getUserMedia() method.

To summarize, I believe the solution is to remove the ConstraintNotSatisfiedError, and always launch the permission prompt.

When this overconstrains, either:

 A. Remove the "Allow" button and inform the user they "need a feature X camera",

    or whatever, and never return consent (but still let user deny).

    The app is none the wiser.

 B. Warn the user that their camera(s) may not suffice, but let them consent anyway.

    This webpage can then query capabilities and let the user down nicely.

I prefer B (I care little about which cameras get listed this case, though I'm sure an algorithm could be proposed that tried to honor those individual mandatory unordered constraints that didn't reduce the list to zero).

This has nothing to do with what Martin is proposing.

This does not alter or remove the Constrainable interface.

The getUserMedia call is special because it operates before any permission has been given.

.: Jan-Ivar :.

On 11/13/13 12:55 PM, Jim Barnett wrote:

The discussion is too nested at this point.  I can't follow it.

I've trimmed out the relevant conversation below:

-----Original Message-----

From: Jan-Ivar Bruaroey [mailto:jib@mozilla.com]

Sent: Wednesday, November 13, 2013 12:28 PM

To: Stefan Håkansson LK; public-media-capture@w3.org<mailto:public-media-capture@w3.org>

Subject: Re: The mandatory constraint is a footgun

On 11/13/13 5:02 AM, Stefan Håkansson LK wrote:

On 13/11/13 09:30, Jan-Ivar Bruaroey wrote:

On 11/12/13 8:09 PM, Stefan Håkansson LK wrote:

[...] one argument against getCapabilities in the past has

been around fingerprinting. You can get info without the user at all

getting to know about it.

That is not a problem when using optional constraints with gUM

(because the user would be presented with the consent prompt). It is

a little problematic with mandatory constraints with gUM because the

app could repeat gUM with lower and lower reqs, but eventually the

user would get informed (because the constraints can be met).

Yes, it's 20 questions:

"Do you have a back-facing camera?" - No

"Do you have a front-facing camera with width=1920 and height=1080" - No

"Do you have a front-facing camera with width=1600 and height=1200" - No

"Do you have a front-facing camera with width=1280 and height=1024" - No

"Do you have a front-facing camera with width=1024 and height=768" - No

"Do you have a front-facing camera with width=800 and height=600" - No

"Do you have a front-facing camera with width=640 and height=480" - Yes

You are a mountain lion!

Exactly, that is what I meant.

Some might argue the purpose of mandatory is to discover these

things, but lets assume it's value is just to limit the camera-picker

list.

That is what we're saying.

If we care about these leaks, then lets always launch the permission

prompt or a button-less overconstrained prompt informing the user

that they "don't have a front-facing camera" or whatever, and never

return consent.

That could be a solution.

Just to be clear: I don't have the competence to judge if we should

care or not. I bring this up only to avoid forgetting this aspect

(that others have brought up in the past).

I think it makes sense to consider. Would anyone object? (Again my preference is the solution below)

Or, my preference, warn the user that their camera(s) may not

suffice, but let them consent anyway. The webpage can then query

capabilities and write "lame" in WebGL if it wants.

.: Jan-Ivar :.

.: Jan-Ivar :.

Received on Wednesday, 13 November 2013 20:14:59 UTC