Proposal: "private" execution mode from cowwoc on 2013-11-28 (public-media-capture@w3.org from November 2013)

From: cowwoc <cowwoc@bbs.darktech.org>
Date: Thu, 28 Nov 2013 12:27:45 -0500
To: "public-media-capture@w3.org" <public-media-capture@w3.org>
Message-ID: <52977D11.80709@bbs.darktech.org>

Hi,

I'd like to propose a high-level mechanism for dealing with 
fingerprinting risks. Borrowing from HTTP caching terminology, I propose 
declaring a new Javascript execution mode called "private". Code 
executed in "private" mode would be required to adhere to the following 
restrictions:

  * Any written data would be marked as "private". Data marked as
    "private" may only be accessed under "private" mode. In other words,
    privacy is contagious.
  * Sensitive methods that may be used to leak data outside the UA (e.g.
    outgoing network requests) MUST throw a permission denied error.

Here is a concrete example of how this may be used:

A user invokes getUserMedia(filter, onSuccess) where filterand onSuccess 
would be supplied by the user. The user invokes the function "normal" 
mode, but filter gets invoked in "private" mode. Here is a sample filter:

function filter(candidateDevice)
{
   var resolutions = candidateDevice.getResolutions();
   var idealResolution = {1280, 720};
   return resolutions.indexOf(idealResolution)!=-1;
}

In the above function, candidateDevice is marked as "private" by the 
browser before passing it into the function. WebRTC would invoke 
onSuccess in "normal" mode, passing it the first device accepted by the 
filter. *NOTE*: the above definition of getUserMedia() is just an 
example and is not part of this proposal.

There are many ways a browser could implement this proposal. It could 
mark data using a sticky "private" bit (as mentioned above). It could 
"validate" user functions before invoking them, and throw a permission 
denied error if they leak data. Any implementation that prevents 
"private" data from leaking is deemed to be compliant.

While this discussion used the getUserMedia() as an example, I believe 
that this mechanism could be used to tackle fingerprinting risks across 
the entire WebRTC surface. Unlike other proposals, I believe it does so 
without compromising the usability of the WebRTC API and user interface.

Let me know what you think.

Gili

Received on Thursday, 28 November 2013 17:29:00 UTC