diff options
Diffstat (limited to 'browser/actors/WebRTCParent.jsm')
-rw-r--r-- | browser/actors/WebRTCParent.jsm | 1484 |
1 files changed, 1484 insertions, 0 deletions
diff --git a/browser/actors/WebRTCParent.jsm b/browser/actors/WebRTCParent.jsm new file mode 100644 index 0000000000..32d97d44e4 --- /dev/null +++ b/browser/actors/WebRTCParent.jsm @@ -0,0 +1,1484 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this file, + * You can obtain one at http://mozilla.org/MPL/2.0/. */ + +"use strict"; + +var EXPORTED_SYMBOLS = ["WebRTCParent"]; + +const { XPCOMUtils } = ChromeUtils.importESModule( + "resource://gre/modules/XPCOMUtils.sys.mjs" +); + +const lazy = {}; + +ChromeUtils.defineESModuleGetters(lazy, { + PrivateBrowsingUtils: "resource://gre/modules/PrivateBrowsingUtils.sys.mjs", +}); +ChromeUtils.defineModuleGetter( + lazy, + "SitePermissions", + "resource:///modules/SitePermissions.jsm" +); +ChromeUtils.defineModuleGetter( + lazy, + "webrtcUI", + "resource:///modules/webrtcUI.jsm" +); + +XPCOMUtils.defineLazyServiceGetter( + lazy, + "OSPermissions", + "@mozilla.org/ospermissionrequest;1", + "nsIOSPermissionRequest" +); + +// Keep in sync with defines at base_capturer_pipewire.cc +// With PipeWire we can't select which system resource is shared so +// we don't create a window/screen list. Instead we place these constants +// as window name/id so frontend code can identify PipeWire backend +// and does not try to create screen/window preview. +const PIPEWIRE_PORTAL_NAME = "####_PIPEWIRE_PORTAL_####"; +const PIPEWIRE_ID = 0xaffffff; + +class WebRTCParent extends JSWindowActorParent { + didDestroy() { + // Media stream tracks end on unload, so call stopRecording() on them early + // *before* we go away, to ensure we're working with the right principal. + this.stopRecording(this.manager.outerWindowId); + lazy.webrtcUI.forgetStreamsFromBrowserContext(this.browsingContext); + // Must clear activePerms here to prevent them from being read by laggard + // stopRecording() calls, which due to IPC, may come in *after* navigation. + // This is to prevent granting temporary grace periods to the wrong page. + lazy.webrtcUI.activePerms.delete(this.manager.outerWindowId); + } + + getBrowser() { + return this.browsingContext.top.embedderElement; + } + + receiveMessage(aMessage) { + switch (aMessage.name) { + case "rtcpeer:Request": { + let params = Object.freeze( + Object.assign( + { + origin: this.manager.documentPrincipal.origin, + }, + aMessage.data + ) + ); + + let blockers = Array.from(lazy.webrtcUI.peerConnectionBlockers); + + (async function() { + for (let blocker of blockers) { + try { + let result = await blocker(params); + if (result == "deny") { + return false; + } + } catch (err) { + console.error(`error in PeerConnection blocker: ${err.message}`); + } + } + return true; + })().then(decision => { + let message; + if (decision) { + lazy.webrtcUI.emitter.emit("peer-request-allowed", params); + message = "rtcpeer:Allow"; + } else { + lazy.webrtcUI.emitter.emit("peer-request-blocked", params); + message = "rtcpeer:Deny"; + } + + this.sendAsyncMessage(message, { + callID: params.callID, + windowID: params.windowID, + }); + }); + break; + } + case "rtcpeer:CancelRequest": { + let params = Object.freeze({ + origin: this.manager.documentPrincipal.origin, + callID: aMessage.data, + }); + lazy.webrtcUI.emitter.emit("peer-request-cancel", params); + break; + } + case "webrtc:Request": { + let data = aMessage.data; + + // Record third party origins for telemetry. + let isThirdPartyOrigin = + this.manager.documentPrincipal.origin != + this.manager.topWindowContext.documentPrincipal.origin; + data.isThirdPartyOrigin = isThirdPartyOrigin; + + data.origin = data.shouldDelegatePermission + ? this.manager.topWindowContext.documentPrincipal.origin + : this.manager.documentPrincipal.origin; + + let browser = this.getBrowser(); + if (browser.fxrPermissionPrompt) { + // For Firefox Reality on Desktop, switch to a different mechanism to + // prompt the user since fewer permissions are available and since many + // UI dependencies are not available. + browser.fxrPermissionPrompt(data); + } else { + prompt(this, this.getBrowser(), data); + } + break; + } + case "webrtc:StopRecording": + this.stopRecording( + aMessage.data.windowID, + aMessage.data.mediaSource, + aMessage.data.rawID + ); + break; + case "webrtc:CancelRequest": { + let browser = this.getBrowser(); + // browser can be null when closing the window + if (browser) { + removePrompt(browser, aMessage.data); + } + break; + } + case "webrtc:UpdateIndicators": { + let { data } = aMessage; + data.documentURI = this.manager.documentURI?.spec; + if (data.windowId) { + if (!data.remove) { + data.principal = this.manager.topWindowContext.documentPrincipal; + } + lazy.webrtcUI.streamAddedOrRemoved(this.browsingContext, data); + } + this.updateIndicators(data); + break; + } + } + } + + updateIndicators(aData) { + let browsingContext = this.browsingContext; + let state = lazy.webrtcUI.updateIndicators(browsingContext.top); + + let browser = this.getBrowser(); + if (!browser) { + return; + } + + state.browsingContext = browsingContext; + state.windowId = aData.windowId; + + let tabbrowser = browser.ownerGlobal.gBrowser; + if (tabbrowser) { + tabbrowser.updateBrowserSharing(browser, { + webRTC: state, + }); + } + } + + denyRequest(aRequest) { + this.sendAsyncMessage("webrtc:Deny", { + callID: aRequest.callID, + windowID: aRequest.windowID, + }); + } + + // + // Deny the request because the browser does not have access to the + // camera or microphone due to OS security restrictions. The user may + // have granted camera/microphone access to the site, but not have + // allowed the browser access in OS settings. + // + denyRequestNoPermission(aRequest) { + this.sendAsyncMessage("webrtc:Deny", { + callID: aRequest.callID, + windowID: aRequest.windowID, + noOSPermission: true, + }); + } + + // + // Check if we have permission to access the camera or screen-sharing and/or + // microphone at the OS level. Triggers a request to access the device if access + // is needed and the permission state has not yet been determined. + // + async checkOSPermission(camNeeded, micNeeded, scrNeeded) { + // Don't trigger OS permission requests for fake devices. Fake devices don't + // require OS permission and the dialogs are problematic in automated testing + // (where fake devices are used) because they require user interaction. + if ( + !scrNeeded && + Services.prefs.getBoolPref("media.navigator.streams.fake", false) + ) { + return true; + } + let camStatus = {}, + micStatus = {}; + if (camNeeded || micNeeded) { + lazy.OSPermissions.getMediaCapturePermissionState(camStatus, micStatus); + } + if (camNeeded) { + let camPermission = camStatus.value; + let camAccessible = await this.checkAndGetOSPermission( + camPermission, + lazy.OSPermissions.requestVideoCapturePermission + ); + if (!camAccessible) { + return false; + } + } + if (micNeeded) { + let micPermission = micStatus.value; + let micAccessible = await this.checkAndGetOSPermission( + micPermission, + lazy.OSPermissions.requestAudioCapturePermission + ); + if (!micAccessible) { + return false; + } + } + let scrStatus = {}; + if (scrNeeded) { + lazy.OSPermissions.getScreenCapturePermissionState(scrStatus); + if (scrStatus.value == lazy.OSPermissions.PERMISSION_STATE_DENIED) { + lazy.OSPermissions.maybeRequestScreenCapturePermission(); + return false; + } + } + return true; + } + + // + // Given a device's permission, return true if the device is accessible. If + // the device's permission is not yet determined, request access to the device. + // |requestPermissionFunc| must return a promise that resolves with true + // if the device is accessible and false otherwise. + // + async checkAndGetOSPermission(devicePermission, requestPermissionFunc) { + if ( + devicePermission == lazy.OSPermissions.PERMISSION_STATE_DENIED || + devicePermission == lazy.OSPermissions.PERMISSION_STATE_RESTRICTED + ) { + return false; + } + if (devicePermission == lazy.OSPermissions.PERMISSION_STATE_NOTDETERMINED) { + let deviceAllowed = await requestPermissionFunc(); + if (!deviceAllowed) { + return false; + } + } + return true; + } + + stopRecording(aOuterWindowId, aMediaSource, aRawId) { + for (let { browsingContext, state } of lazy.webrtcUI._streams) { + if (browsingContext == this.browsingContext) { + let { principal } = state; + for (let { mediaSource, rawId } of state.devices) { + if (aRawId && (aRawId != rawId || aMediaSource != mediaSource)) { + continue; + } + // Deactivate this device (no aRawId means all devices). + this.deactivateDevicePerm( + aOuterWindowId, + mediaSource, + rawId, + principal + ); + } + } + } + } + + /** + * Add a device record to webrtcUI.activePerms, denoting a device as in use. + * Important to call for permission grace periods to work correctly. + */ + activateDevicePerm(aOuterWindowId, aMediaSource, aId) { + if (!lazy.webrtcUI.activePerms.has(this.manager.outerWindowId)) { + lazy.webrtcUI.activePerms.set(this.manager.outerWindowId, new Map()); + } + lazy.webrtcUI.activePerms + .get(this.manager.outerWindowId) + .set(aOuterWindowId + aMediaSource + aId, aMediaSource); + } + + /** + * Remove a device record from webrtcUI.activePerms, denoting a device as + * no longer in use by the site. Meaning: gUM requests for this device will + * no longer be implicitly granted through the webrtcUI.activePerms mechanism. + * + * However, if webrtcUI.deviceGracePeriodTimeoutMs is defined, the implicit + * grant is extended for an additional period of time through SitePermissions. + */ + deactivateDevicePerm( + aOuterWindowId, + aMediaSource, + aId, + aPermissionPrincipal + ) { + // If we don't have active permissions for the given window anymore don't + // set a grace period. This happens if there has been a user revoke and + // webrtcUI clears the permissions. + if (!lazy.webrtcUI.activePerms.has(this.manager.outerWindowId)) { + return; + } + let map = lazy.webrtcUI.activePerms.get(this.manager.outerWindowId); + map.delete(aOuterWindowId + aMediaSource + aId); + + // Add a permission grace period for camera and microphone only + if ( + (aMediaSource != "camera" && aMediaSource != "microphone") || + !this.browsingContext.top.embedderElement + ) { + return; + } + let gracePeriodMs = lazy.webrtcUI.deviceGracePeriodTimeoutMs; + if (gracePeriodMs > 0) { + // A grace period is extended (even past navigation) to this outer window + // + origin + deviceId only. This avoids re-prompting without the user + // having to persist permission to the site, in a common case of a web + // conference asking them for the camera in a lobby page, before + // navigating to the actual meeting room page. Does not survive tab close. + // + // Caution: since navigation causes deactivation, we may be in the middle + // of one. We must pass in a principal & URI for SitePermissions to use + // instead of browser.currentURI, because the latter may point to a new + // page already, and we must not leak permission to unrelated pages. + // + let permissionName = [aMediaSource, aId].join("^"); + lazy.SitePermissions.setForPrincipal( + aPermissionPrincipal, + permissionName, + lazy.SitePermissions.ALLOW, + lazy.SitePermissions.SCOPE_TEMPORARY, + this.browsingContext.top.embedderElement, + gracePeriodMs, + aPermissionPrincipal.URI + ); + } + } + + /** + * Checks if the principal has sufficient permissions + * to fulfill the given request. If the request can be + * fulfilled, a message is sent to the child + * signaling that WebRTC permissions were given and + * this function will return true. + */ + checkRequestAllowed(aRequest, aPrincipal) { + if (!aRequest.secure) { + return false; + } + // Always prompt for screen sharing + if (aRequest.sharingScreen) { + return false; + } + let { + callID, + windowID, + audioInputDevices, + videoInputDevices, + audioOutputDevices, + hasInherentAudioConstraints, + hasInherentVideoConstraints, + audioOutputId, + } = aRequest; + + if (audioOutputDevices?.length) { + // Prompt if a specific device is not requested, available and allowed. + let device = audioOutputDevices.find(({ id }) => id == audioOutputId); + if ( + !device || + !lazy.SitePermissions.getForPrincipal( + aPrincipal, + ["speaker", device.id].join("^"), + this.getBrowser() + ).state == lazy.SitePermissions.ALLOW + ) { + return false; + } + this.sendAsyncMessage("webrtc:Allow", { + callID, + windowID, + devices: [device.deviceIndex], + }); + return true; + } + + let { perms } = Services; + if ( + perms.testExactPermissionFromPrincipal(aPrincipal, "MediaManagerVideo") + ) { + perms.removeFromPrincipal(aPrincipal, "MediaManagerVideo"); + } + + // Don't use persistent permissions from the top-level principal + // if we're in a cross-origin iframe and permission delegation is not + // allowed, or when we're handling a potentially insecure third party + // through a wildcard ("*") allow attribute. + let limited = + (aRequest.isThirdPartyOrigin && !aRequest.shouldDelegatePermission) || + aRequest.secondOrigin; + + let map = lazy.webrtcUI.activePerms.get(this.manager.outerWindowId); + // We consider a camera or mic active if it is active or was active within a + // grace period of milliseconds ago. + const isAllowed = ({ mediaSource, rawId }, permissionID) => + map?.get(windowID + mediaSource + rawId) || + (!limited && + (lazy.SitePermissions.getForPrincipal(aPrincipal, permissionID).state == + lazy.SitePermissions.ALLOW || + lazy.SitePermissions.getForPrincipal( + aPrincipal, + [mediaSource, rawId].join("^"), + this.getBrowser() + ).state == lazy.SitePermissions.ALLOW)); + + let microphone; + if (audioInputDevices.length) { + for (let device of audioInputDevices) { + if (isAllowed(device, "microphone")) { + microphone = device; + break; + } + if (hasInherentAudioConstraints) { + // Inherent constraints suggest site is looking for a specific mic + break; + } + // Some sites don't look too hard at what they get, and spam gUM without + // adjusting what they ask for to match what they got last time. To keep + // users in charge and reduce prompts, ignore other constraints by + // returning the most-fit microphone a site already has access to. + } + if (!microphone) { + return false; + } + } + let camera; + if (videoInputDevices.length) { + for (let device of videoInputDevices) { + if (isAllowed(device, "camera")) { + camera = device; + break; + } + if (hasInherentVideoConstraints) { + // Inherent constraints suggest site is looking for a specific camera + break; + } + // Some sites don't look too hard at what they get, and spam gUM without + // adjusting what they ask for to match what they got last time. To keep + // users in charge and reduce prompts, ignore other constraints by + // returning the most-fit camera a site already has access to. + } + if (!camera) { + return false; + } + } + let devices = []; + if (camera) { + perms.addFromPrincipal( + aPrincipal, + "MediaManagerVideo", + perms.ALLOW_ACTION, + perms.EXPIRE_SESSION + ); + devices.push(camera.deviceIndex); + this.activateDevicePerm(windowID, camera.mediaSource, camera.rawId); + } + if (microphone) { + devices.push(microphone.deviceIndex); + this.activateDevicePerm( + windowID, + microphone.mediaSource, + microphone.rawId + ); + } + this.checkOSPermission(!!camera, !!microphone, false).then( + havePermission => { + if (havePermission) { + this.sendAsyncMessage("webrtc:Allow", { callID, windowID, devices }); + } else { + this.denyRequestNoPermission(aRequest); + } + } + ); + return true; + } +} + +function prompt(aActor, aBrowser, aRequest) { + let { + audioInputDevices, + videoInputDevices, + audioOutputDevices, + sharingScreen, + sharingAudio, + requestTypes, + } = aRequest; + + let principal = Services.scriptSecurityManager.createContentPrincipalFromOrigin( + aRequest.origin + ); + + // For add-on principals, we immediately check for permission instead + // of waiting for the notification to focus. This allows for supporting + // cases such as browserAction popups where no prompt is shown. + if (principal.addonPolicy) { + let isPopup = false; + let isBackground = false; + + for (let view of principal.addonPolicy.extension.views) { + if (view.viewType == "popup" && view.xulBrowser == aBrowser) { + isPopup = true; + } + if (view.viewType == "background" && view.xulBrowser == aBrowser) { + isBackground = true; + } + } + + // Recording from background pages is considered too sensitive and will + // always be denied. + if (isBackground) { + aActor.denyRequest(aRequest); + return; + } + + // If the request comes from a popup, we don't want to show the prompt, + // but we do want to allow the request if the user previously gave permission. + if (isPopup) { + if (!aActor.checkRequestAllowed(aRequest, principal, aBrowser)) { + aActor.denyRequest(aRequest); + } + return; + } + } + + // If the user has already denied access once in this tab, + // deny again without even showing the notification icon. + for (const type of requestTypes) { + const permissionID = + type == "AudioCapture" ? "microphone" : type.toLowerCase(); + if ( + lazy.SitePermissions.getForPrincipal(principal, permissionID, aBrowser) + .state == lazy.SitePermissions.BLOCK + ) { + aActor.denyRequest(aRequest); + return; + } + } + + let chromeDoc = aBrowser.ownerDocument; + const localization = new Localization( + ["browser/webrtcIndicator.ftl", "branding/brand.ftl"], + true + ); + + /** @type {"Screen" | "Camera" | null} */ + let reqVideoInput = null; + if (videoInputDevices.length) { + reqVideoInput = sharingScreen ? "Screen" : "Camera"; + } + /** @type {"AudioCapture" | "Microphone" | null} */ + let reqAudioInput = null; + if (audioInputDevices.length) { + reqAudioInput = sharingAudio ? "AudioCapture" : "Microphone"; + } + const reqAudioOutput = !!audioOutputDevices.length; + + const stringId = getPromptMessageId( + reqVideoInput, + reqAudioInput, + reqAudioOutput, + !!aRequest.secondOrigin + ); + const message = localization.formatValueSync(stringId, { + origin: "<>", + thirdParty: "{}", + }); + + let notification; // Used by action callbacks. + const actionL10nIds = [{ id: "webrtc-action-allow" }]; + + let notificationSilencingEnabled = Services.prefs.getBoolPref( + "privacy.webrtc.allowSilencingNotifications" + ); + + const isNotNowLabelEnabled = allowedOrActiveCameraOrMicrophone(aBrowser); + let secondaryActions = []; + if (notificationSilencingEnabled && sharingScreen) { + // We want to free up the checkbox at the bottom of the permission + // panel for the notification silencing option, so we use a + // different configuration for the permissions panel when + // notification silencing is enabled. + + // If we have a (temporary) allow permission for some mic/cam device + // we offer a 'Not now' label instead of 'Block'. + const id = isNotNowLabelEnabled + ? "webrtc-action-not-now" + : "webrtc-action-block"; + actionL10nIds.push({ id }, { id: "webrtc-action-always-block" }); + secondaryActions = [ + { + callback(aState) { + aActor.denyRequest(aRequest); + if (!isNotNowLabelEnabled) { + lazy.SitePermissions.setForPrincipal( + principal, + "screen", + lazy.SitePermissions.BLOCK, + lazy.SitePermissions.SCOPE_TEMPORARY, + notification.browser + ); + } + }, + }, + { + callback(aState) { + aActor.denyRequest(aRequest); + lazy.SitePermissions.setForPrincipal( + principal, + "screen", + lazy.SitePermissions.BLOCK, + lazy.SitePermissions.SCOPE_PERSISTENT, + notification.browser + ); + }, + }, + ]; + } else { + // We have a (temporary) allow permission for some device + // hence we offer a 'Not now' label instead of 'Block'. + const id = isNotNowLabelEnabled + ? "webrtc-action-not-now" + : "webrtc-action-block"; + actionL10nIds.push({ id }); + secondaryActions = [ + { + callback(aState) { + aActor.denyRequest(aRequest); + + const isPersistent = aState?.checkboxChecked; + + // Choosing 'Not now' will not set a block permission + // we just deny the request. This enables certain use cases + // where sites want to switch devices, but users back out of the permission request + // (See Bug 1609578). + // Selecting 'Remember this decision' and clicking 'Not now' will set a persistent block + if (!isPersistent && isNotNowLabelEnabled) { + return; + } + + // Denying a camera / microphone prompt means we set a temporary or + // persistent permission block. There may still be active grace period + // permissions at this point. We need to remove them. + clearTemporaryGrants( + notification.browser, + reqVideoInput === "Camera", + !!reqAudioInput + ); + + const scope = isPersistent + ? lazy.SitePermissions.SCOPE_PERSISTENT + : lazy.SitePermissions.SCOPE_TEMPORARY; + if (reqAudioInput) { + lazy.SitePermissions.setForPrincipal( + principal, + "microphone", + lazy.SitePermissions.BLOCK, + scope, + notification.browser + ); + } + if (reqVideoInput) { + lazy.SitePermissions.setForPrincipal( + principal, + sharingScreen ? "screen" : "camera", + lazy.SitePermissions.BLOCK, + scope, + notification.browser + ); + } + }, + }, + ]; + } + + // The formatMessagesSync method returns an array of results + // for each message that was requested, and for the ones with + // attributes, returns an attributes array with objects like: + // { name: "label", value: "somevalue" } + const [mainMessage, ...secondaryMessages] = localization + .formatMessagesSync(actionL10nIds) + .map(msg => + msg.attributes.reduce( + (acc, { name, value }) => ({ ...acc, [name]: value }), + {} + ) + ); + + const mainAction = { + label: mainMessage.label, + accessKey: mainMessage.accesskey, + // The real callback will be set during the "showing" event. The + // empty function here is so that PopupNotifications.show doesn't + // reject the action. + callback() {}, + }; + + for (let i = 0; i < secondaryActions.length; ++i) { + secondaryActions[i].label = secondaryMessages[i].label; + secondaryActions[i].accessKey = secondaryMessages[i].accesskey; + } + + let options = { + name: lazy.webrtcUI.getHostOrExtensionName(principal.URI), + persistent: true, + hideClose: true, + eventCallback(aTopic, aNewBrowser, isCancel) { + if (aTopic == "swapping") { + return true; + } + + let doc = this.browser.ownerDocument; + + // Clean-up video streams of screensharing previews. + if ( + reqVideoInput !== "Screen" || + aTopic == "dismissed" || + aTopic == "removed" + ) { + let video = doc.getElementById("webRTC-previewVideo"); + video.deviceId = null; // Abort previews still being started. + if (video.stream) { + video.stream.getTracks().forEach(t => t.stop()); + video.stream = null; + video.src = null; + doc.getElementById("webRTC-preview").hidden = true; + } + let menupopup = doc.getElementById("webRTC-selectWindow-menupopup"); + if (menupopup._commandEventListener) { + menupopup.removeEventListener( + "command", + menupopup._commandEventListener + ); + menupopup._commandEventListener = null; + } + } + + // If the notification has been cancelled (e.g. due to entering full-screen), also cancel the webRTC request + if (aTopic == "removed" && notification && isCancel) { + aActor.denyRequest(aRequest); + } + + if (aTopic != "showing") { + return false; + } + + // If BLOCK has been set persistently in the permission manager or has + // been set on the tab, then it is handled synchronously before we add + // the notification. + // Handling of ALLOW is delayed until the popupshowing event, + // to avoid granting permissions automatically to background tabs. + if (aActor.checkRequestAllowed(aRequest, principal, aBrowser)) { + this.remove(); + return true; + } + + function listDevices(menupopup, devices, labelID) { + while (menupopup.lastChild) { + menupopup.removeChild(menupopup.lastChild); + } + let menulist = menupopup.parentNode; + // Removing the child nodes of the menupopup doesn't clear the value + // attribute of the menulist. This can have unfortunate side effects + // when the list is rebuilt with a different content, so we remove + // the value attribute and unset the selectedItem explicitly. + menulist.removeAttribute("value"); + menulist.selectedItem = null; + + for (let device of devices) { + let item = addDeviceToList( + menupopup, + device.name, + device.deviceIndex + ); + if (device.id == aRequest.audioOutputId) { + menulist.selectedItem = item; + } + } + + let label = doc.getElementById(labelID); + if (devices.length == 1) { + label.value = devices[0].name; + label.hidden = false; + menulist.hidden = true; + } else { + label.hidden = true; + menulist.hidden = false; + } + } + + let notificationElement = doc.getElementById( + "webRTC-shareDevices-notification" + ); + + function checkDisabledWindowMenuItem() { + let list = doc.getElementById("webRTC-selectWindow-menulist"); + let item = list.selectedItem; + if (!item || item.hasAttribute("disabled")) { + notificationElement.setAttribute("invalidselection", "true"); + } else { + notificationElement.removeAttribute("invalidselection"); + } + } + + function listScreenShareDevices(menupopup, devices) { + while (menupopup.lastChild) { + menupopup.removeChild(menupopup.lastChild); + } + + // Removing the child nodes of the menupopup doesn't clear the value + // attribute of the menulist. This can have unfortunate side effects + // when the list is rebuilt with a different content, so we remove + // the value attribute and unset the selectedItem explicitly. + menupopup.parentNode.removeAttribute("value"); + menupopup.parentNode.selectedItem = null; + + // "Select a Window or Screen" is the default because we can't and don't + // want to pick a 'default' window to share (Full screen is "scary"). + addDeviceToList( + menupopup, + localization.formatValueSync("webrtc-pick-window-or-screen"), + "-1" + ); + menupopup.appendChild(doc.createXULElement("menuseparator")); + + let isPipeWire = false; + + // Build the list of 'devices'. + let monitorIndex = 1; + for (let i = 0; i < devices.length; ++i) { + let device = devices[i]; + let type = device.mediaSource; + let name; + // Building screen list from available screens. + if (type == "screen") { + if (device.name == "Primary Monitor") { + name = localization.formatValueSync("webrtc-share-entire-screen"); + } else { + name = localization.formatValueSync("webrtc-share-monitor", { + monitorIndex, + }); + ++monitorIndex; + } + } else { + name = device.name; + // When we share content by PipeWire add only one item to the device + // list. When it's selected PipeWire portal dialog is opened and + // user confirms actual window/screen sharing there. + // Don't mark it as scary as there's an extra confirmation step by + // PipeWire portal dialog. + if (name == PIPEWIRE_PORTAL_NAME && device.rawId == PIPEWIRE_ID) { + isPipeWire = true; + let item = addDeviceToList( + menupopup, + localization.formatValueSync("webrtc-share-pipe-wire-portal"), + i, + type + ); + item.deviceId = device.rawId; + item.mediaSource = type; + + // In this case the OS sharing dialog will be the only option and + // can be safely pre-selected. + menupopup.parentNode.selectedItem = item; + menupopup.parentNode.disabled = true; + break; + } + if (type == "application") { + // The application names returned by the platform are of the form: + // <window count>\x1e<application name> + const [count, appName] = name.split("\x1e"); + name = localization.formatValueSync("webrtc-share-application", { + appName, + windowCount: parseInt(count), + }); + } + } + let item = addDeviceToList(menupopup, name, i, type); + item.deviceId = device.rawId; + item.mediaSource = type; + if (device.scary) { + item.scary = true; + } + } + + // Always re-select the "No <type>" item. + doc + .getElementById("webRTC-selectWindow-menulist") + .removeAttribute("value"); + doc.getElementById("webRTC-all-windows-shared").hidden = true; + + menupopup._commandEventListener = event => { + checkDisabledWindowMenuItem(); + let video = doc.getElementById("webRTC-previewVideo"); + if (video.stream) { + video.stream.getTracks().forEach(t => t.stop()); + video.stream = null; + } + + const { deviceId, mediaSource, scary } = event.target; + if (deviceId == undefined) { + doc.getElementById("webRTC-preview").hidden = true; + video.src = null; + return; + } + + let warning = doc.getElementById("webRTC-previewWarning"); + let warningBox = doc.getElementById("webRTC-previewWarningBox"); + warningBox.hidden = !scary; + let chromeWin = doc.defaultView; + if (scary) { + const warnId = + mediaSource == "screen" + ? "webrtc-share-screen-warning" + : "webrtc-share-browser-warning"; + doc.l10n.setAttributes(warning, warnId); + + const learnMore = doc.getElementById( + "webRTC-previewWarning-learnMore" + ); + const baseURL = Services.urlFormatter.formatURLPref( + "app.support.baseURL" + ); + learnMore.setAttribute("href", baseURL + "screenshare-safety"); + doc.l10n.setAttributes(learnMore, "webrtc-share-screen-learn-more"); + + // On Catalina, we don't want to blow our chance to show the + // OS-level helper prompt to enable screen recording if the user + // intends to reject anyway. OTOH showing it when they click Allow + // is too late. A happy middle is to show it when the user makes a + // choice in the picker. This already happens implicitly if the + // user chooses "Entire desktop", as a side-effect of our preview, + // we just need to also do it if they choose "Firefox". These are + // the lone two options when permission is absent on Catalina. + // Ironically, these are the two sources marked "scary" from a + // web-sharing perspective, which is why this code resides here. + // A restart doesn't appear to be necessary in spite of OS wording. + let scrStatus = {}; + lazy.OSPermissions.getScreenCapturePermissionState(scrStatus); + if (scrStatus.value == lazy.OSPermissions.PERMISSION_STATE_DENIED) { + lazy.OSPermissions.maybeRequestScreenCapturePermission(); + } + } + + let perms = Services.perms; + let chromePrincipal = Services.scriptSecurityManager.getSystemPrincipal(); + perms.addFromPrincipal( + chromePrincipal, + "MediaManagerVideo", + perms.ALLOW_ACTION, + perms.EXPIRE_SESSION + ); + + if (!isPipeWire) { + video.deviceId = deviceId; + let constraints = { + video: { mediaSource, deviceId: { exact: deviceId } }, + }; + chromeWin.navigator.mediaDevices.getUserMedia(constraints).then( + stream => { + if (video.deviceId != deviceId) { + // The user has selected a different device or closed the panel + // before getUserMedia finished. + stream.getTracks().forEach(t => t.stop()); + return; + } + video.srcObject = stream; + video.stream = stream; + doc.getElementById("webRTC-preview").hidden = false; + video.onloadedmetadata = function(e) { + video.play(); + }; + }, + err => { + if ( + err.name == "OverconstrainedError" && + err.constraint == "deviceId" + ) { + // Window has disappeared since enumeration, which can happen. + // No preview for you. + return; + } + console.error( + `error in preview: ${err.message} ${err.constraint}` + ); + } + ); + } + }; + menupopup.addEventListener("command", menupopup._commandEventListener); + } + + function addDeviceToList(menupopup, deviceName, deviceIndex, type) { + let menuitem = doc.createXULElement("menuitem"); + menuitem.setAttribute("value", deviceIndex); + menuitem.setAttribute("label", deviceName); + menuitem.setAttribute("tooltiptext", deviceName); + if (type) { + menuitem.setAttribute("devicetype", type); + } + + if (deviceIndex == "-1") { + menuitem.setAttribute("disabled", true); + } + + menupopup.appendChild(menuitem); + return menuitem; + } + + doc.getElementById("webRTC-selectCamera").hidden = + reqVideoInput !== "Camera"; + doc.getElementById("webRTC-selectWindowOrScreen").hidden = + reqVideoInput !== "Screen"; + doc.getElementById("webRTC-selectMicrophone").hidden = + reqAudioInput !== "Microphone"; + doc.getElementById("webRTC-selectSpeaker").hidden = !reqAudioOutput; + + let camMenupopup = doc.getElementById("webRTC-selectCamera-menupopup"); + let windowMenupopup = doc.getElementById("webRTC-selectWindow-menupopup"); + let micMenupopup = doc.getElementById( + "webRTC-selectMicrophone-menupopup" + ); + let speakerMenupopup = doc.getElementById( + "webRTC-selectSpeaker-menupopup" + ); + let describedByIDs = ["webRTC-shareDevices-notification-description"]; + + if (sharingScreen) { + listScreenShareDevices(windowMenupopup, videoInputDevices); + checkDisabledWindowMenuItem(); + } else { + let labelID = "webRTC-selectCamera-single-device-label"; + listDevices(camMenupopup, videoInputDevices, labelID); + notificationElement.removeAttribute("invalidselection"); + if (videoInputDevices.length == 1) { + describedByIDs.push("webRTC-selectCamera-icon", labelID); + } + } + + if (!sharingAudio) { + let labelID = "webRTC-selectMicrophone-single-device-label"; + listDevices(micMenupopup, audioInputDevices, labelID); + if (audioInputDevices.length == 1) { + describedByIDs.push("webRTC-selectMicrophone-icon", labelID); + } + } + + let labelID = "webRTC-selectSpeaker-single-device-label"; + listDevices(speakerMenupopup, audioOutputDevices, labelID); + if (audioOutputDevices.length == 1) { + describedByIDs.push("webRTC-selectSpeaker-icon", labelID); + } + + // PopupNotifications knows to clear the aria-describedby attribute + // when hiding, so we don't have to worry about cleaning it up ourselves. + chromeDoc.defaultView.PopupNotifications.panel.setAttribute( + "aria-describedby", + describedByIDs.join(" ") + ); + + this.mainAction.callback = async function(aState) { + let remember = false; + let silenceNotifications = false; + + if (notificationSilencingEnabled && sharingScreen) { + silenceNotifications = aState && aState.checkboxChecked; + } else { + remember = aState && aState.checkboxChecked; + } + + let allowedDevices = []; + let perms = Services.perms; + if (reqVideoInput) { + let listId = sharingScreen + ? "webRTC-selectWindow-menulist" + : "webRTC-selectCamera-menulist"; + let videoDeviceIndex = doc.getElementById(listId).value; + let allowVideoDevice = videoDeviceIndex != "-1"; + if (allowVideoDevice) { + allowedDevices.push(videoDeviceIndex); + // Session permission will be removed after use + // (it's really one-shot, not for the entire session) + perms.addFromPrincipal( + principal, + "MediaManagerVideo", + perms.ALLOW_ACTION, + perms.EXPIRE_SESSION + ); + let { mediaSource, rawId } = videoInputDevices.find( + ({ deviceIndex }) => deviceIndex == videoDeviceIndex + ); + aActor.activateDevicePerm(aRequest.windowID, mediaSource, rawId); + if (remember) { + lazy.SitePermissions.setForPrincipal( + principal, + "camera", + lazy.SitePermissions.ALLOW + ); + } + } + } + + if (reqAudioInput === "Microphone") { + let audioDeviceIndex = doc.getElementById( + "webRTC-selectMicrophone-menulist" + ).value; + let allowMic = audioDeviceIndex != "-1"; + if (allowMic) { + allowedDevices.push(audioDeviceIndex); + let { mediaSource, rawId } = audioInputDevices.find( + ({ deviceIndex }) => deviceIndex == audioDeviceIndex + ); + aActor.activateDevicePerm(aRequest.windowID, mediaSource, rawId); + if (remember) { + lazy.SitePermissions.setForPrincipal( + principal, + "microphone", + lazy.SitePermissions.ALLOW + ); + } + } + } else if (reqAudioInput === "AudioCapture") { + // Only one device possible for audio capture. + allowedDevices.push(0); + } + + if (reqAudioOutput) { + let audioDeviceIndex = doc.getElementById( + "webRTC-selectSpeaker-menulist" + ).value; + let allowSpeaker = audioDeviceIndex != "-1"; + if (allowSpeaker) { + allowedDevices.push(audioDeviceIndex); + let { id } = audioOutputDevices.find( + ({ deviceIndex }) => deviceIndex == audioDeviceIndex + ); + lazy.SitePermissions.setForPrincipal( + principal, + ["speaker", id].join("^"), + lazy.SitePermissions.ALLOW + ); + } + } + + if (!allowedDevices.length) { + aActor.denyRequest(aRequest); + return; + } + + const camNeeded = reqVideoInput === "Camera"; + const micNeeded = !!reqAudioInput; + const scrNeeded = reqVideoInput === "Screen"; + const havePermission = await aActor.checkOSPermission( + camNeeded, + micNeeded, + scrNeeded + ); + if (!havePermission) { + aActor.denyRequestNoPermission(aRequest); + return; + } + + aActor.sendAsyncMessage("webrtc:Allow", { + callID: aRequest.callID, + windowID: aRequest.windowID, + devices: allowedDevices, + suppressNotifications: silenceNotifications, + }); + }; + + // If we haven't handled the permission yet, we want to show the doorhanger. + return false; + }, + }; + + function shouldShowAlwaysRemember() { + // Don't offer "always remember" action in PB mode + if (lazy.PrivateBrowsingUtils.isBrowserPrivate(aBrowser)) { + return false; + } + + // Don't offer "always remember" action in third party with no permission + // delegation + if (aRequest.isThirdPartyOrigin && !aRequest.shouldDelegatePermission) { + return false; + } + + // Don't offer "always remember" action in maybe unsafe permission + // delegation + if (aRequest.shouldDelegatePermission && aRequest.secondOrigin) { + return false; + } + + // "Always allow this speaker" not yet supported for + // selectAudioOutput(). Bug 1712892 + if (reqAudioOutput) { + return false; + } + + return true; + } + + if (shouldShowAlwaysRemember()) { + // Disable the permanent 'Allow' action if the connection isn't secure, or for + // screen/audio sharing (because we can't guess which window the user wants to + // share without prompting). Note that we never enter this block for private + // browsing windows. + let reason = ""; + if (sharingScreen) { + reason = "webrtc-reason-for-no-permanent-allow-screen"; + } else if (sharingAudio) { + reason = "webrtc-reason-for-no-permanent-allow-audio"; + } else if (!aRequest.secure) { + reason = "webrtc-reason-for-no-permanent-allow-insecure"; + } + + options.checkbox = { + label: localization.formatValueSync("webrtc-remember-allow-checkbox"), + checked: principal.isAddonOrExpandedAddonPrincipal, + checkedState: reason + ? { + disableMainAction: true, + warningLabel: localization.formatValueSync(reason), + } + : undefined, + }; + } + + // If the notification silencing feature is enabled and we're sharing a + // screen, then the checkbox for the permission panel is what controls + // notification silencing. + if (notificationSilencingEnabled && sharingScreen) { + options.checkbox = { + label: localization.formatValueSync("webrtc-mute-notifications-checkbox"), + checked: false, + checkedState: { + disableMainAction: false, + }, + }; + } + + let anchorId = "webRTC-shareDevices-notification-icon"; + if (reqVideoInput === "Screen") { + anchorId = "webRTC-shareScreen-notification-icon"; + } else if (!reqVideoInput) { + if (reqAudioInput && !reqAudioOutput) { + anchorId = "webRTC-shareMicrophone-notification-icon"; + } else if (!reqAudioInput && reqAudioOutput) { + anchorId = "webRTC-shareSpeaker-notification-icon"; + } + } + + if (aRequest.secondOrigin) { + options.secondName = lazy.webrtcUI.getHostOrExtensionName( + null, + aRequest.secondOrigin + ); + } + + notification = chromeDoc.defaultView.PopupNotifications.show( + aBrowser, + "webRTC-shareDevices", + message, + anchorId, + mainAction, + secondaryActions, + options + ); + notification.callID = aRequest.callID; + + let schemeHistogram = Services.telemetry.getKeyedHistogramById( + "PERMISSION_REQUEST_ORIGIN_SCHEME" + ); + let userInputHistogram = Services.telemetry.getKeyedHistogramById( + "PERMISSION_REQUEST_HANDLING_USER_INPUT" + ); + + let docURI = aRequest.documentURI; + let scheme = 0; + if (docURI.startsWith("https")) { + scheme = 2; + } else if (docURI.startsWith("http")) { + scheme = 1; + } + + for (let requestType of requestTypes) { + if (requestType == "AudioCapture") { + requestType = "Microphone"; + } + requestType = requestType.toLowerCase(); + + schemeHistogram.add(requestType, scheme); + userInputHistogram.add(requestType, aRequest.isHandlingUserInput); + } +} + +/** + * @param {"Screen" | "Camera" | null} reqVideoInput + * @param {"AudioCapture" | "Microphone" | null} reqAudioInput + * @param {boolean} reqAudioOutput + * @param {boolean} delegation - Is the access delegated to a third party? + * @returns {string} Localization message identifier + */ +function getPromptMessageId( + reqVideoInput, + reqAudioInput, + reqAudioOutput, + delegation +) { + switch (reqVideoInput) { + case "Camera": + switch (reqAudioInput) { + case "Microphone": + return delegation + ? "webrtc-allow-share-camera-and-microphone-unsafe-delegation" + : "webrtc-allow-share-camera-and-microphone"; + case "AudioCapture": + return delegation + ? "webrtc-allow-share-camera-and-audio-capture-unsafe-delegation" + : "webrtc-allow-share-camera-and-audio-capture"; + default: + return delegation + ? "webrtc-allow-share-camera-unsafe-delegation" + : "webrtc-allow-share-camera"; + } + + case "Screen": + switch (reqAudioInput) { + case "Microphone": + return delegation + ? "webrtc-allow-share-screen-and-microphone-unsafe-delegation" + : "webrtc-allow-share-screen-and-microphone"; + case "AudioCapture": + return delegation + ? "webrtc-allow-share-screen-and-audio-capture-unsafe-delegation" + : "webrtc-allow-share-screen-and-audio-capture"; + default: + return delegation + ? "webrtc-allow-share-screen-unsafe-delegation" + : "webrtc-allow-share-screen"; + } + + default: + switch (reqAudioInput) { + case "Microphone": + return delegation + ? "webrtc-allow-share-microphone-unsafe-delegation" + : "webrtc-allow-share-microphone"; + case "AudioCapture": + return delegation + ? "webrtc-allow-share-audio-capture-unsafe-delegation" + : "webrtc-allow-share-audio-capture"; + default: + // This should be always true, if we've reached this far. + if (reqAudioOutput) { + return delegation + ? "webrtc-allow-share-speaker-unsafe-delegation" + : "webrtc-allow-share-speaker"; + } + return undefined; + } + } +} + +/** + * Checks whether we have a microphone/camera in use by checking the activePerms map + * or if we have an allow permission for a microphone/camera in sitePermissions + * @param {Browser} browser - Browser to find all active and allowed microphone and camera devices for + * @return true if one of the above conditions is met + */ +function allowedOrActiveCameraOrMicrophone(browser) { + // Do we have an allow permission for cam/mic in the permissions manager? + if ( + lazy.SitePermissions.getAllForBrowser(browser).some(perm => { + return ( + perm.state == lazy.SitePermissions.ALLOW && + (perm.id.startsWith("camera") || perm.id.startsWith("microphone")) + ); + }) + ) { + // Return early, no need to check for active devices + return true; + } + + // Do we have an active device? + return ( + // Find all windowIDs that belong to our browsing contexts + browser.browsingContext + .getAllBrowsingContextsInSubtree() + // Only keep the outerWindowIds + .map(bc => bc.currentWindowGlobal?.outerWindowId) + .filter(id => id != null) + // We have an active device if one of our windowIds has a non empty map in the activePerms map + // that includes one device of type "camera" or "microphone" + .some(id => { + let map = lazy.webrtcUI.activePerms.get(id); + if (!map) { + // This windowId has no active device + return false; + } + // Let's see if one of the devices is a camera or a microphone + let types = [...map.values()]; + return types.includes("microphone") || types.includes("camera"); + }) + ); +} + +function removePrompt(aBrowser, aCallId) { + let chromeWin = aBrowser.ownerGlobal; + let notification = chromeWin.PopupNotifications.getNotification( + "webRTC-shareDevices", + aBrowser + ); + if (notification && notification.callID == aCallId) { + notification.remove(); + } +} + +/** + * Clears temporary permission grants used for WebRTC device grace periods. + * @param browser - Browser element to clear permissions for. + * @param {boolean} clearCamera - Clear camera grants. + * @param {boolean} clearMicrophone - Clear microphone grants. + */ +function clearTemporaryGrants(browser, clearCamera, clearMicrophone) { + if (!clearCamera && !clearMicrophone) { + // Nothing to clear. + return; + } + let perms = lazy.SitePermissions.getAllForBrowser(browser); + perms + .filter(perm => { + let [id, key] = perm.id.split(lazy.SitePermissions.PERM_KEY_DELIMITER); + // We only want to clear WebRTC grace periods. These are temporary, device + // specifc (double-keyed) microphone or camera permissions. + return ( + key && + perm.state == lazy.SitePermissions.ALLOW && + perm.scope == lazy.SitePermissions.SCOPE_TEMPORARY && + ((clearCamera && id == "camera") || + (clearMicrophone && id == "microphone")) + ); + }) + .forEach(perm => + lazy.SitePermissions.removeFromPrincipal(null, perm.id, browser) + ); +} |