Deny MIDI access if there are no MIDI devices connected to mitigate MIDI fingerprinting
Categories
(Core :: DOM: Core & HTML, task)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox108 | --- | fixed |
People
(Reporter: nchevobbe, Assigned: bholley)
References
Details
Attachments
(2 files)
Depending on the data of the telemetry probe we plan to add in Bug 1797019, we might want to automatically reject requestMIDIAccess if there are no midi devices connected.
|
Assignee | |
Updated•2 years ago
|
|
|
Assignee | |
Comment 1•2 years ago
|
||
|
|
Assignee | |
Comment 2•2 years ago
|
||
|
|
Assignee | |
Comment 3•2 years ago
|
||
|
|
Assignee | |
Comment 4•2 years ago
•
|
||
Initial telemetry indicates that, after blocklisting the builtin synth on Windows (bug 1798097), only about 3% of windows and mac Nightly users have MIDI devices connected. Most (~85%) Linux users have a (likely virtual) device [1].
As such, auto-denying MIDI access in the absence of devices should result in an order-of-magnitude reduction in the number of users who might experience nuisance prompts. The patches here randomize the auto-deny time to make it harder for sites to use timing attacks to infer the existence or non-existence of devices.
[1] Emilio did some local testing across Fedora, Ubuntu, and Arch and found that each of them exposes a device called "Midi Through". In contrast to the situation on Windows, Chrome exposes this device, so we should probably do the same for compat reasons.
Pushed by bholley@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/31444500e5a2 Add an API to determine if there are any midi devices. r=gsvelto https://hg.mozilla.org/integration/autoland/rev/bfd3197ea9bb Only display the consent flow if the user has at least one MIDI devices. r=gsvelto
|
||
Comment 6•2 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/31444500e5a2
https://hg.mozilla.org/mozilla-central/rev/bfd3197ea9bb
Description
•