|
5577 | 5577 |
|
5578 | 5578 | The primary security impact is that features of this API make it easier for an |
5579 | 5579 | attacker to exploit vulnerabilities in the underlying platform codecs. |
5580 | | -Additionally, new abilities to configure and control the codecs <em |
5581 | | -class="rfc2119">MAY</em> allow for new exploits that rely on a specific |
5582 | | -configuration and/or sequence of control operations. |
| 5580 | +Additionally, new abilities to configure and control the codecs can allow for |
| 5581 | +new exploits that rely on a specific configuration and/or sequence of control |
| 5582 | +operations. |
5583 | 5583 |
|
5584 | 5584 | Platform codecs are historically an internal detail of APIs like |
5585 | 5585 | {{HTMLMediaElement}}, [[WEBAUDIO]], and [[WebRTC]]. In this way, it has always |
|
5604 | 5604 |
|
5605 | 5605 | An additional concern is exposing the underlying codecs to input mutation race |
5606 | 5606 | conditions. Specifically, it <em class="rfc2119">SHOULD</em> not be possible for |
5607 | | -a site to mutate a codec input or output while the underlying codec <em |
5608 | | -class="rfc2119">MAY</em> still be operating on that data. This concern is |
5609 | | -mitigated by ensuring that input and output interfaces are immutable. |
| 5607 | +a site to mutate a codec input or output while the underlying codec is still |
| 5608 | +operating on that data. This concern is mitigated by ensuring that input and |
| 5609 | +output interfaces are immutable. |
5610 | 5610 |
|
5611 | 5611 | Privacy Considerations{#privacy-considerations} |
5612 | 5612 | =============================================== |
5613 | 5613 |
|
5614 | 5614 | The primary privacy impact is an increased ability to fingerprint users by |
5615 | 5615 | querying for different codec capabilities to establish a codec feature profile. |
5616 | 5616 | Much of this profile is already exposed by existing APIs. Such profiles are very |
5617 | | -unlikely to be uniquely identifying, but <em class="rfc2119">MAY</em> be used |
5618 | | -with other metrics to create a fingerprint. |
5619 | | - |
5620 | | -An attacker <em class="rfc2119">MAY</em> accumulate a codec feature profile by |
5621 | | -calling `IsConfigSupported()` methods with a number of different configuration |
5622 | | -dictionaries. Similarly, an attacker <em class="rfc2119">MAY</em> attempt to |
5623 | | -`configure()` a codec with different configuration dictionaries and observe |
5624 | | -which configurations are accepted. |
5625 | | - |
5626 | | -Attackers <em class="rfc2119">MAY</em> also use existing APIs to establish much |
5627 | | -of the codec feature profile. For example, the [[media-capabilities]] |
5628 | | -{{decodingInfo()}} API describes what types of decoders are supported and its |
5629 | | -{{powerEfficient}} attribute <em class="rfc2119">MAY</em> signal when a decoder |
5630 | | -uses hardware acceleration. Similarly, the [[WebRTC]] |
5631 | | -{{RTCRtpSender/getCapabilities()}} API <em class="rfc2119">MAY</em> be used to |
5632 | | -determine what types of encoders are supported and the |
5633 | | -{{RTCPeerConnection/getStats()}} API <em class="rfc2119">MAY</em> be used to |
5634 | | -determine when an encoder uses hardware acceleration. WebCodecs will expose some |
5635 | | -additional information in the form of low level codec features. |
| 5617 | +unlikely to be uniquely identifying, but can be used with other metrics to |
| 5618 | +create a fingerprint. |
| 5619 | + |
| 5620 | +An attacker can accumulate a codec feature profile by calling |
| 5621 | +`IsConfigSupported()` methods with a number of different configuration |
| 5622 | +dictionaries. Similarly, an attacker can attempt to `configure()` a codec with |
| 5623 | +different configuration dictionaries and observe which configurations are |
| 5624 | +accepted. |
| 5625 | + |
| 5626 | +Attackers can also use existing APIs to establish much of the codec feature |
| 5627 | +profile. For example, the [[media-capabilities]] {{decodingInfo()}} API |
| 5628 | +describes what types of decoders are supported and its {{powerEfficient}} |
| 5629 | +attribute can signal when a decoder uses hardware acceleration. Similarly, the |
| 5630 | +[[WebRTC]] {{RTCRtpSender/getCapabilities()}} API can be used to determine what |
| 5631 | +types of encoders are supported and the {{RTCPeerConnection/getStats()}} API can |
| 5632 | +be used to determine when an encoder uses hardware acceleration. WebCodecs will |
| 5633 | +expose some additional information in the form of low level codec features. |
5636 | 5634 |
|
5637 | 5635 | A codec feature profile alone is unlikely to be uniquely identifying. Underlying |
5638 | 5636 | codecs are often implemented entirely in software (be it part of the User Agent |
|
5641 | 5639 | are often implemented with hardware acceleration, but such hardware is mass |
5642 | 5640 | produced and devices of a particular class and manufacture date (e.g. flagship |
5643 | 5641 | phones manufactured in 2020) will often have common capabilities. There will be |
5644 | | -outliers (some users <em class="rfc2119">MAY</em> run outdated versions of |
5645 | | -software codecs or use a rare mix of custom assembled hardware), but most of the |
5646 | | -time a given codec feature profile is shared by a large group of users. |
| 5642 | +outliers (some users can be running outdated versions of software codecs or use |
| 5643 | +a rare mix of custom assembled hardware), but most of the time a given codec |
| 5644 | +feature profile is shared by a large group of users. |
5647 | 5645 |
|
5648 | 5646 | Segmenting groups of users by codec feature profile still amounts to a bit of |
5649 | 5647 | entropy that can be combined with other metrics to uniquely identify a user. |
|
0 commit comments