WebAPI/Security/Camera

From MozillaWiki
Jump to: navigation, search

Name of API: Camera API

References:
http://dvcs.w3.org/hg/dap/raw-file/tip/media-stream-capture/scenarios... ("Section 2 Scenarios") are use case scenarios from the media capture task that is creating getUserMedia() which is what this API is based on.
https://groups.google.com/group/mozilla.dev.webapps/browse_thread/thread/52d86024cbfd0da6/a3a2779a041d3e6f

Brief purpose of API: Let content take photos and capture video and/or audio

Generic use cases: See per-category use cases below

Inherent threats: Steal or spy on user video/audio

Threat severity: High per https://wiki.mozilla.org/Security_Severity_Ratings

Regular web content (unauthenticated)

Use cases:

  • App allows user to take a picture for a profile
  • App allows user to take a picture and record an audio clip
  • App allows user to record a video with audio to send to someone else
  • App allows user to record an audio clip to send to someone else
  • App allows the user to start a podcast, open other tabs/apps while the recording continues (to look up and comment on information, etc) and then comes back to the tab/original app to finish the podcast. Note: the user may continue to record while opening or switching to other tabs/apps
  • App allows foreground photo sharing with realtime preview and special effects. Needs live video stream and the ability to manipulate the stream on the fly (this one might be a bit of a stretch; can work with the magic button or WebGL shader approach but requires some more research)

Authorization model for normal content: user-mediated OS UI

Authorization model installed content: user-mediated OS UI

Potential mitigations:

  • App can launch a user-mediated viewfinder UI take a picture, record the video, or use the camera/mic feed which user approves prior to it being provided to the content.
  • Uses video tag (or some such) and is validated to have a non-collapsed extent, not be off-screen, not be (mostly) obscured by other content.
  • Additionally (contingent upon addressing UX and clickjacking concerns), we could potentially use a "magic button" rendered by OS with the app context.
  • There is a persistent recording indicator (blinking red light?).
  • App can continuing recording if it loses focus.
  • Only top level content can request access.
  • There is no "always allow" option in this app category.
  • TBD: Appropriate limitations to device fingerprinting

Trusted (authenticated by publisher)

Use cases:

  • App allows users to record video from multiple webcams
  • App allows video monitoring such as a baby monitor or security camera that can run for extended periods of time
  • App can continuing recording if it loses focus.

Authorization model: Explicit

Potential mitigations: Prompt for camera access, app then retains access to video/audio stream until exit. There is a persistent recording indicator.

Certified (vouched for by trusted 3rd party)

Use cases:

  • Main Camera app
  • App can continuing recording if it loses focus.

Authorization model: Implicit

Potential mitigations: Settings manager could enumerate which apps have implicit access to camera. There is a persistent recording indicator.

Notes

  • Trusted & certified apps have access to the constraints/capabilities API