VOOZH about

URL: https://bugzilla.mozilla.org/show_bug.cgi?id=1886320

⇱ 1886320 - Remove media.eme.require-app-approval prompt and pref

Open Bug 1886320 Opened 2 years ago Updated 2 months ago

Remove media.eme.require-app-approval prompt and pref

Remove media.eme.require-app-approval prompt and pref
GeckoView
Media
unspecified
All
Android
task
Points:
---
NEW
---
Iteration:
---
Accessibility Severity
Performance Impact
Webcompat Priority
Webcompat Score
Tracking Status
relnote-firefox
firefox152
firefox153
firefox154
---
[fxdroid] [group4]
QA Whiteboard:
---
Has STR:
---
Change Request:
---
Bug Flags:
Signature:
None
This bug is publicly visible. 

 












 
 

 

 
 

 
 πŸ‘ Image
 EME_prompt_screenshot.png
 
 

 
 
170.19 KB,
 image/png 

 		
 
 
 Details
 





 
















The media.eme.require-app-approval prompt and pref were added in bug 1620102 for GeckoView. Firefox desktop doesn't show a prompt. Removing GeckoView's prompt would improve the user experience and avoid breaking some websites.


Based on research in bug 1523443 comment 13, on Android 8+, the device identifier is unique per app and device [1]. Thus, apps and websites can't use it to track users across apps or devices and the device identifier is not much different than a regular cookie and is cleared when Firefox clears cookies.


[1] https://developer.android.com/reference/android/provider/Settings.Secure.html#ANDROID_ID



 
 
 
 

 Attached image
 
 EME_prompt_screenshot.png
 β€” Details
 

 


 
Screenshot of the current EME prompt


Assignee: nobody β†’ cpeterson
Status: NEW β†’ ASSIGNED
Whiteboard: [fxdroid] [group4]
Severity: -- β†’ N/A
Assignee: cpeterson β†’ nobody
Status: ASSIGNED β†’ NEW
See Also: β†’ 1841246
Duplicate of this bug: 1903815
No longer blocks: 1620102
Depends on: 1620102
Severity: N/A β†’ S3
Priority: -- β†’ P2
Hi folks, I'd like to share why I strongly disagree with the removal of this feature from GeckoView and Fenix, and why I believe that this decision should be re-considered:


    

  • The risk of exposing device identifiers is only one of the many well-documented privacy and security concerns with EME. Mozilla has also directly acknowledged many of these concerns in the past, and openly criticized the EME standard due to them (1, 2). I think it says a lot that to this day, Mozilla goes to the extent of offering separate EME-free builds for desktop.
    • 

  • The EME permission prompt helps mitigate these concerns by allowing users to enable it on a per-site basis (This is especially beneficial from a security perspective, due to the reduction in attack surface it provides).
    • 

  • It also ensures that users are made aware of when a site is using EME, and are making the active, informed decision to allow it, if they decide to do so.
    • 

  • It provides users with freedom and total control over when and where EME is used, if they decide to even use it at all.
    • 

  • For reference, I will note that Chromium also implements a permission prompt for EME on Android.
    • 

  • This feature is important to and used by GeckoView embedders and Fenix derivatives (such as IronFox, of which I am a developer).
    • 



I also feel that this decision is in conflict with Mozilla's mission and ideals/core values. Specifically, I'd like to point to Principles 4 and 5 from the manifesto, which state:




Individuals’ security and privacy on the internet are fundamental and must not be treated as optional.






Individuals must have the ability to shape the internet and their own experiences on it.




So, ultimately, I feel that the removal of this prompt and the ability to control EME per-site would be a major regression in terms of user privacy, security, and control for Android users, I'm disappointed that it's being considered.




Now, to address some of the points :cpeterson made above:




Firefox desktop doesn't show a prompt.




It should! ;) - But, regardless, I don't think it's justified to remove a legitimately useful, important feature and weaken the privacy, security, and freedom/control of users on one platform just because it's lacking on another.




Removing GeckoView's prompt would improve the user experience




How so? If you're concerned about the prompts bothering users, for a compromise, instead of removing the entire feature, could we please just consider setting it to Allow by default instead? While I do believe the default value should ideally remain on Ask to allow (due to Mozilla's values and emphasis on privacy-respecting, secure software, as well as the reasons I outlined above), I think this would be a reasonable compromise that would still allow users to take advantage of this feature who wish to do so.




and avoid breaking some websites.




I'm not exactly sure what you mean by this - to clarify, are you saying something specific to the prompt itself is breaking some websites, or that EME being blocked is breaking some websites? If it's the latter, I'm not sure I understand, because isn't that the point? I feel like it'd be the equivalent of saying the geolocation permission prompt "breaks" websites that use location. If the user makes an active decision to allow or disallow something, I think it's reasonable to expect that a website then wouldn't be able to use that thing, no? Either way, I think the compromise I proposed above of changing the default value to Allow may also alleviate your concern here, without needing to remove the entire feature (For reference, I know Chromium sets their EME permission to Allow by default as well, but they still allow users to set it to Ask to allow or Blocked and control it on a per-site basis if desired).




Thank you for your time and consideration here, all the best!



 You need to log in
 before you can comment on or make changes to this bug.