Chuck Harmston [:chuck] Reporter
	Description • 7 years ago

This appears to be the unintentional consequence of restricting this preference to HTTPS.

There's an argument to be made that WebExtensions should be exempt from this.

	Johann Hofmann [:johannh]
	Comment 1 • 7 years ago

Uhm, could an extension that got permanent access for its content page principal monitor me from the background page, or do they have different principals/origins? What happens if you try to access WebRTC from a background page right now? If the answer is: Yes that would be possible, I'd suggest we tread veeerrry carefully here.

	Andrew Swan [:aswan]
	Comment 3 • 7 years ago

The bug that this was dup'ed to was about using getUserMedia() from a background page, this bug is about using it from a moz-extension: page.  Its true that addressing this bug would affect subsequent uses from a background page, but its a distinct issue.
Regardless, I agree with Johann that there are some serious privacy concerns here and that we shouldn't just make the simple change of making moz-extension work like https.  Without having thought about it at length, I think we should (at least for now) simply forbid getUserMedia() from a background page.  But I wouldn't object to making an extension page in a tab work just like regular (secure) content where the user is given an "Always Allow" option but that would only grant future permission for a page from the same extension displayed in a tab (ie, no background page, sidebar, or popup)
Johann, what do you think?

	Johann Hofmann [:johannh]
	Comment 4 • 7 years ago

(In reply to Andrew Swan [:aswan] from comment #3)
> The bug that this was dup'ed to was about using getUserMedia() from a
> background page, this bug is about using it from a moz-extension: page.  Its
> true that addressing this bug would affect subsequent uses from a background
> page, but its a distinct issue.
> Regardless, I agree with Johann that there are some serious privacy concerns
> here and that we shouldn't just make the simple change of making
> moz-extension work like https.  Without having thought about it at length, I
> think we should (at least for now) simply forbid getUserMedia() from a
> background page.  But I wouldn't object to making an extension page in a tab
> work just like regular (secure) content where the user is given an "Always
> Allow" option but that would only grant future permission for a page from
> the same extension displayed in a tab (ie, no background page, sidebar, or
> popup)
> Johann, what do you think?

I fully agree, but we must have tests that ensure that gUM is not working on background pages, sidebar and popups! If we decide to support this, apart from declaring moz-extension pages secure for that purpose, we should also look into slightly improving the UI of that prompt. It should display the extension name instead of the UUID (and maybe even include an extra paragraph about "This extension will only have access to your camera as long as you keep the current tab open").

I'm happy to help with that :)

	Andrew Swan [:aswan]
	Comment 5 • 7 years ago

I fully agree about testing and about showing the extension name in the confirmation doorhanger.
I'm not so sure about the "...as long as you keep the current tab open" part, this doesn't seem any different than a regular content page that does the same thing, which we convey to the user with indicators in the tab strip (and which of course should also be present for extension pages).
I think we could separate this into two bugs, it seems like the "don't apply a persistent getUserMedia permission in a non-tabbed page" is worth doing for everything, not just extension pages (in case a regular https page with persistent getUserMedia permissions manages to get itself loaded in a sidebar or popup or something).  Once that's done, we're just left with allowing persistent permissions for moz-extension: and improving the notification contents.

	Johann Hofmann [:johannh]
	Comment 6 • 7 years ago

(In reply to Andrew Swan [:aswan] from comment #5)
> I'm not so sure about the "...as long as you keep the current tab open"
> part, this doesn't seem any different than a regular content page that does
> the same thing, which we convey to the user with indicators in the tab strip
> (and which of course should also be present for extension pages).

My thought was that if the prompt says:

"Will you allow Video Chat Extension to use your camera?"

or

"Will you allow Weather Add-On to access your location?"

then users may think that this privilege extends to the entire lifetime of the extension, because I'd presume most users know that an extension lives "permanently" in the browser while a webpage can be closed and then it's gone. Maybe I'm overestimating people but that's definitely what I'd think.

It's not a big deal for me though :)

> I think we could separate this into two bugs, it seems like the "don't apply
> a persistent getUserMedia permission in a non-tabbed page" is worth doing
> for everything, not just extension pages (in case a regular https page with
> persistent getUserMedia permissions manages to get itself loaded in a
> sidebar or popup or something).  Once that's done, we're just left with
> allowing persistent permissions for moz-extension: and improving the
> notification contents.

Ok, sure, that works for me.

	Firefox Bug Husbandry Bot
	Comment 8 • 6 years ago

Bulk move of bugs per https://bugzilla.mozilla.org/show_bug.cgi?id=1483958