W3C home > Mailing lists > Public > public-webrtc-logs@w3.org > February 2019

Re: [mediacapture-main] Mitigate fingerprinting from OverconstrainedError in gUM(). (#564)

From: Jan-Ivar Bruaroey via GitHub <sysbot+gh@w3.org>
Date: Thu, 14 Feb 2019 21:38:59 +0000
To: public-webrtc-logs@w3.org
Message-ID: <issue_comment.created-463808861-1550180338-sysbot+gh@w3.org>
> For instance, by mixing width constraint with deviceId constraint, a script could potentially distinguish cases like 720p vs 1080p cameras with no prompt triggered:

Great point! The "never return deviceId"-part of the PR is flawed. (link to [demo](https://jsfiddle.net/jib1/n0scjq18/) again).

> "User agents MAY tamper the value of failedConstraint as a fingerprinting mitigation".

I agree we should shoot for a more general statement like that. Not leaking information here may require UA smarts beyond what we want to write in stone in a spec.

However, we should probably be clear whether "tamper" extends to returning no name at all, which may be controversial (in today's spec,  `error.constraint == ""` means *"you're getting close"*, i.e. none of the required constraints used would fail by themselves), it's solely a "combination failure".

-- 
GitHub Notification of comment by jan-ivar
Please view or discuss this issue at https://github.com/w3c/mediacapture-main/pull/564#issuecomment-463808861 using your GitHub account
Received on Thursday, 14 February 2019 21:39:01 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 4 June 2019 15:32:55 UTC