Security/Reviews/Audio Recording - Web API
Item Reviewed
| Audio Recording - Web API & Implementation | |||||||||
| Target | Links:
1 Total; 0 Open (0%); 0 Resolved (0%); 1 Verified (100%); https://bugzilla.mozilla.org/show_bug.cgi?id=803414 (Audio Recording - Web API & Implementation) The webidl for Media Recording APIhttps://dvcs.w3.org/hg/dap/raw-file/tip/media-stream-capture/RecordingProposal.html Proposal https://wiki.mozilla.org/Gecko:MediaRecorder |
||||||||
{{#set:SecReview name=Audio Recording - Web API & Implementation |SecReview target=Links:
| ID | Summary | Priority | Status |
|---|---|---|---|
| 803414 | Media Recording - Web API & Implementation | -- | VERIFIED |
1 Total; 0 Open (0%); 0 Resolved (0%); 1 Verified (100%);
https://bugzilla.mozilla.org/show_bug.cgi?id=803414 (Audio Recording - Web API & Implementation) The webidl for Media Recording APIhttps://dvcs.w3.org/hg/dap/raw-file/tip/media-stream-capture/RecordingProposal.html Proposal https://wiki.mozilla.org/Gecko:MediaRecorder }}
Introduce the Feature
Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)
reference document: https://dvcs.w3.org/hg/dap/raw-file/default/media-stream-capture/MediaRecorder.html This API is used for application can record the video/audio data and save to file system. Input:mediaStream, which come from GetUserMedia (via webRTC module), video or audio clips output: encoded blob data https://bugzilla.mozilla.org/show_bug.cgi?id=803414 - Provide access to audio buffer, opus output format
- Can this be used with other APIs (e.g. <audio> element) ?
- stream = <video
What solutions/approaches were considered other than the proposed solution?
Why was this solution chosen?
`
Any security threats already considered in the design and why?
a. un-autohorized usage: The getUserMedia API would check if application has the right to getMediaStream
Threat Brainstorming
- Cross-origin access to video/audio stream
- maybe read cross-origin - either needs to be a permission - or some?
- Hijacking an existing stream from a video or audio element and calling mozCaptureStreamUntilEnded on it? - Temporary files could be a privacy issue if not properly deleted? - Running out of memory or disk space - Access the microphone without the user knowing
- doesnt increase the chance, but does increase the impact - audio bugging could be client side, or more complex?
- Is there a UI part (like in the status bar) to let the user know the microphone is on?
- no UI in this API, but the WebRTC gUM does.
- What happens with malformed data
- something to fuzz for
- is the AudioApi compliant w/ CORS? or can you just read any old stream cross-origin? (the existing API, as well as the new one) -- <audio> and <video> can be access cross origin (same as above...) -- https://developer.mozilla.org/en-US/docs/JavaScript/Same_origin_policy_for_JavaScript {{#set: SecReview feature goal=reference document: https://dvcs.w3.org/hg/dap/raw-file/default/media-stream-capture/MediaRecorder.html This API is used for application can record the video/audio data and save to file system. Input:mediaStream, which come from GetUserMedia (via webRTC module), video or audio clips output: encoded blob data https://bugzilla.mozilla.org/show_bug.cgi?id=803414 - Provide access to audio buffer, opus output format
- Can this be used with other APIs (e.g. <audio> element) ?
- stream = <video
|SecReview alt solutions= |SecReview solution chosen=' |SecReview threats considered=a. un-autohorized usage: The getUserMedia API would check if application has the right to getMediaStream |SecReview threat brainstorming=- Cross-origin access to video/audio stream
- maybe read cross-origin - either needs to be a permission - or some?
- Hijacking an existing stream from a video or audio element and calling mozCaptureStreamUntilEnded on it? - Temporary files could be a privacy issue if not properly deleted? - Running out of memory or disk space - Access the microphone without the user knowing
- doesnt increase the chance, but does increase the impact - audio bugging could be client side, or more complex?
- Is there a UI part (like in the status bar) to let the user know the microphone is on?
- no UI in this API, but the WebRTC gUM does.
- What happens with malformed data
- something to fuzz for
- is the AudioApi compliant w/ CORS? or can you just read any old stream cross-origin? (the existing API, as well as the new one) -- <audio> and <video> can be access cross origin (same as above...) -- https://developer.mozilla.org/en-US/docs/JavaScript/Same_origin_policy_for_JavaScript }}
Action Items
| Action Item Status | In Progress |
| Release Target | ` |
| Action Items | |
| - Pauljt::determine the threat model for WebRTC::
- Cdiehl::fuzz this API - Pauljt::Tainting audio/video elements with cross-origin audio data, so that this API fails in such cases. (ie web page should not be able to access the contents of cross-origin resources) |
|
{{#set:|SecReview action item status=In Progress
|Feature version=` |SecReview action items=- Pauljt::determine the threat model for WebRTC:: - Cdiehl::fuzz this API - Pauljt::Tainting audio/video elements with cross-origin audio data, so that this API fails in such cases. (ie web page should not be able to access the contents of cross-origin resources) }}