-
Notifications
You must be signed in to change notification settings - Fork 62
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
What is the purpose of requiring a successful gUM call before enumerateDevices? #1019
Comments
I think there's some misunderstanding here.
100% agree the objective of persistent permissions is to avoid constant prompts. But users who have persisted permissions won't incur any prompt when a fresh gUM call is made. So how does trimming enumerateDevices ahead of camera and microphone being turned on lead to "constant prompts"?
100% agree.
The spec allows UAs to implement persistent permissions, one-time permissions, even both. The purpose of not returning detailed device information without a recent gUM call is twofold:
A website that expects to list devices on pageload won't work in Firefox or Safari. This is not hypothetical. Sadly it seems it's not uncommon to test against a single browser. Both Safari and Firefox let users grant one-time permissions to camera and microphone by default. Chrome is experimenting with them as well: |
Certainly. The issue is that the requirement of gUM before enumerateDevices is incompatible with the way many Web applications have been written for a long time, which was to assume enumerateDevices results (among other things) are gated by permissions.
The claim refers to the fact that the only practical way to implement the gUM-before-eD in a way that is fully compatible with existing applications is to do it with non-persistent permissions (or at least, making the browser always reply 'prompt' to permission queries before the first gUM, even if gUM won't actually prompt).
Because the practical way to implement this in a way that doesn't break existing applications is to use non-persistent permissions, which would prompt often, like Safari does.
The concern is not what is possible or not, but compatibility with existing real-world applications.
The benefit of gUM over permissions here is quite limited, as trackers will need to call gUM anyway to get permissions. For cross-origin tracking, each top-level origin needs to call gUM successfully at least once to get permissions and successfully participate in cross-origin tracking.
gUM-before-eD does not give any interoperability assurances over permissions-before-eD.
It won't work on Chrome either (unless they have permissions, which requires gUM). The reason Safari has not seen any compatibility problems due to gUM-before-eD is that their permissions are non-persistent, so applications know they have to call gUM.
The problem is not the various permission models browsers implement and modify over time. |
TL;DR: please read my answer in web-platform-tests/interop#849 (comment).
This isn't accurate. AFAIK only labels were gated on permission in the old spec.
It might be time to try again.
What existing applications? There must be some misunderstanding as I don't follow this at all. Firefox supports persistent permission through the
Of course it does. It's the predominant video conferencing model that works in all browsers. Most users don't have multiple cameras facing them. So websites ask for the default camera (or remember the previously one) and add a ⚙️ settings page for making changes.
A website can prime for permission just once in Chrome, and assume device ennumeration on pageload works forevermore.
Why has Firefox not seen any compatibility issues?
I'd like to see these existing applications. The previous spec never specified permissions-before-eD, it specified permissions-before-eD-with-labels. You didn't need permission for eD. So any compatibility issue tied to permission seems homemade. |
Yes, when I say enumerateDevices, I actually mean full enumerateDevices results containing labels, useful for an in-app device picker.
Maybe it's time to change the spec instead.
In your own words, by 2023, this was Most video conferencing sites. More specifically, you literally said in 2023: Most video conferencing sites offer a smoother user experience to returning Chrome users than to returning users in other browsers, because they basically ignore past non-persisted permissions entirely. You even specifically mentioned whereby.com and indicated this code pattern:
This matches our observations as well, so we are in full agreement here. Chrome certainly does not want to break the smoother user experience persistent permissions provide.
I meant conceptually. If Firefox switches to permissions-before-eD-with-labels it will be interoperable with Chrome and Safari. Safari does not need to change anything because in their case permissions-before-eD-with-labels is the same as gUM-before-eD-with-labels.
This is not accurate. The user can revoke permissions at any time, so permissions are not "forevermore" in Chrome.
No idea. But I'm a bit confused. Just yesterday you said:
In 2023 you said Most video conferencing sites offer a smoother user experience to returning Chrome users, which means a worse experience for Firefox users. Have you confirmed that most video conferencing sites now offer the smoother experience for Firefox users as well? And you also said yesterday that there is a "huge interoperability issue"? But today you say Firefox has not seen any compatibility issues. If there are no such issues, then what is the "huge" part? Note also that any application written against the new spec will work fine with Chrome, as permissions-before-eD-labels is forwards-compatible with gUM-before-eD-labels. So Chrome is not preventing applications to move to the new spec, but it will not risk breaking compatibility to force such a move.
Last year you said they were ** Most video conferencing sites** and you mentioned whereby.com. Yesterday you said Slack huddles requires some workaround, which I presume is not necessary with Chrome and Safari (both of which implement permissions-before-eD-with-labels).
When I said permissions-before-eD I meant permissions-before-eD-with-labels, which is indeed what the old spec said, is exactly what Chrome implements, and is what most applications are written to. eD has always returned some result when called without permissions, with both the old and new specs. I said permissions-before-eD just to make it shorter, since the pre-permissions results without labels were unused by VC applications but were useful for trackers in the old spec. The PING changes Chrome implemented kept the pre-permissions results useless for VC applications but also made them useless for trackers. |
FWIW, I do not think we can go back and weaken the privacy story. To make progress on mitigations, it would be good to qualify a few things:
Based on this, various ideas could be tested, for instance:
These are only ideas though, the first thing is to understand the various breakages. |
Gating eD labels to permissions does not weaken the privacy story IMO. I would argue that forcing a gUM call can be detrimental to user privacy in some cases. Consider the following case:
permissions-before-eD supports this use case without problems. gUM-before-eD cannot support this use case correctly. The application has to choose between a broken UI or violating the user's privacy to produce a proper UI. This use case is common for VC applications and it should be possible for UAs to support it if they want to support it. We can be creative in ways that keep the same level of privacy but mitigate breakage. Interventions are also fine to make progress. @guidou, have you considered these possibilities?
Some examples:
I think these ideas (and others) are worth exploring, hence why this issue has been filed. |
I agree with this.
It weakens the privacy story: a non-conferencing website can obtain camera/mic access a single time for a seemingly benign reason like scanning a QR code or snapping a listing photo. Users who have granted persistent permission to such websites — the sole choice in Chrome release still — unwittingly allow those websites to delegate permission to third-parties to help fingerprint them. Having to call gUM deters this. Also, it's not just labels anymore, but the number of cameras and microphones the user has as well.
Firefox shouldn't have to remove its persistent permission feature to provide the same guarantees as Safari. Spec agrees.
Use case error: we should solve for all users, not just those who have persisted permission.
This is entirely solvable for all users, because a website can turn on camera or microphone ahead of transmission.
Said differently: For returning users, device pickers aren't populated. Why single out a pity-group? What you call "broken" is the behavior everyone else gets today. We've discussed Zoom at length. Zoom is handling it, so calling it "breakage" seems a stretch. Preferential treatment is no longer given to a sub-group of users. This can be a good thing, challenging websites to solve this without discriminating or weakening privacy. Here's a demo page employing multiple strategies for some ideas (it caches devices and calls gUM on selection).
Invalid, as explained in web-platform-tests/interop#849 (comment). Whereby does not enumerate ahead of gUM.
From this description it sounds unaffected? I can try it tomorrow.
If it's similar to Whereby then it's invalid here.
I use MS teams in Firefox regularly. No breakage observed. Though I confess, like probably 99% of users I have just a single front-facing camera. |
In the past, the requirement for enumerateDevices was to have the corresponding permissions granted.
Now a successful gUM call is required, which is a stronger requirement.
I think the old version was better, since that one allowed implementations to have the gUM requirement by making the permission nonpersistent.
Forcing the gUM requirement on implementations with persistent permissions makes persistent permissions largely useless, since one of the objectives of persistent permissions is to avoid constant prompts for frequent users of VC applications.
I agree that always prompting might have some privacy benefits, but this comes at the cost of making things more difficult or inconvenient for frequent users of VC applications. I think this is an area where it is better to let UAs decide the tradeoff that works better for their users.
The old version of the spec also makes it easier to achieve interoperability between UAs without breaking compatibility with existing applications.
The text was updated successfully, but these errors were encountered: