Re: [mediacapture-main] Spec does no handle fingerprinting related to exposing non default capture devices (#559)

> Inserting or unplugging a USB device _is_ user activity, much like a user pressing a key. Use `onkeypress`

I guess such a USB device API would raise similar concerns on our side.
Similarly, we would not like to have web pages being able to know that some keys were pressed before the page got focus.

> Known device presence is already leaked by `OverconstrainedError`. See [this demo](

Agreed on this issue.
That specific example is not working in Safari though. Some more complex ones might.
This is fixable and it would be nice for implementers if the spec could call out some of these issues instead of discovering them on their own.

> If you plan to remove _enumerateDevices()_ entirely, then I question the value of that, given my earlier points about _getUserMedia()_ and _devicechange_.

I am not pushing for removing enumerateDevices/devicechange, I see some valid usecases.
I am questioning the validity of enumerateDevices usecase when getUserMedia access is not granted given the fact that:
- this is currently in use to fingerprint users.
- most (all?) WebRTC usecases/apps do not seem to require it.

This issue is also about strengthening the spec privacy considerations.
It would be great if a naive implementer, after reading the spec, would try to address those issues instead of giving up on them.

GitHub Notification of comment by youennf
Please view or discuss this issue at using your GitHub account

Received on Wednesday, 23 January 2019 04:16:32 UTC