/* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this file, * You can obtain one at http://mozilla.org/MPL/2.0/. */ "use strict"; var EXPORTED_SYMBOLS = ["WebRTCParent"]; const { XPCOMUtils } = ChromeUtils.importESModule( "resource://gre/modules/XPCOMUtils.sys.mjs" ); const lazy = {}; ChromeUtils.defineESModuleGetters(lazy, { PrivateBrowsingUtils: "resource://gre/modules/PrivateBrowsingUtils.sys.mjs", }); ChromeUtils.defineModuleGetter( lazy, "SitePermissions", "resource:///modules/SitePermissions.jsm" ); ChromeUtils.defineModuleGetter( lazy, "webrtcUI", "resource:///modules/webrtcUI.jsm" ); XPCOMUtils.defineLazyServiceGetter( lazy, "OSPermissions", "@mozilla.org/ospermissionrequest;1", "nsIOSPermissionRequest" ); // Keep in sync with defines at base_capturer_pipewire.cc // With PipeWire we can't select which system resource is shared so // we don't create a window/screen list. Instead we place these constants // as window name/id so frontend code can identify PipeWire backend // and does not try to create screen/window preview. const PIPEWIRE_PORTAL_NAME = "####_PIPEWIRE_PORTAL_####"; const PIPEWIRE_ID = 0xaffffff; class WebRTCParent extends JSWindowActorParent { didDestroy() { // Media stream tracks end on unload, so call stopRecording() on them early // *before* we go away, to ensure we're working with the right principal. this.stopRecording(this.manager.outerWindowId); lazy.webrtcUI.forgetStreamsFromBrowserContext(this.browsingContext); // Must clear activePerms here to prevent them from being read by laggard // stopRecording() calls, which due to IPC, may come in *after* navigation. // This is to prevent granting temporary grace periods to the wrong page. lazy.webrtcUI.activePerms.delete(this.manager.outerWindowId); } getBrowser() { return this.browsingContext.top.embedderElement; } receiveMessage(aMessage) { switch (aMessage.name) { case "rtcpeer:Request": { let params = Object.freeze( Object.assign( { origin: this.manager.documentPrincipal.origin, }, aMessage.data ) ); let blockers = Array.from(lazy.webrtcUI.peerConnectionBlockers); (async function() { for (let blocker of blockers) { try { let result = await blocker(params); if (result == "deny") { return false; } } catch (err) { console.error(`error in PeerConnection blocker: ${err.message}`); } } return true; })().then(decision => { let message; if (decision) { lazy.webrtcUI.emitter.emit("peer-request-allowed", params); message = "rtcpeer:Allow"; } else { lazy.webrtcUI.emitter.emit("peer-request-blocked", params); message = "rtcpeer:Deny"; } this.sendAsyncMessage(message, { callID: params.callID, windowID: params.windowID, }); }); break; } case "rtcpeer:CancelRequest": { let params = Object.freeze({ origin: this.manager.documentPrincipal.origin, callID: aMessage.data, }); lazy.webrtcUI.emitter.emit("peer-request-cancel", params); break; } case "webrtc:Request": { let data = aMessage.data; // Record third party origins for telemetry. let isThirdPartyOrigin = this.manager.documentPrincipal.origin != this.manager.topWindowContext.documentPrincipal.origin; data.isThirdPartyOrigin = isThirdPartyOrigin; data.origin = data.shouldDelegatePermission ? this.manager.topWindowContext.documentPrincipal.origin : this.manager.documentPrincipal.origin; let browser = this.getBrowser(); if (browser.fxrPermissionPrompt) { // For Firefox Reality on Desktop, switch to a different mechanism to // prompt the user since fewer permissions are available and since many // UI dependencies are not available. browser.fxrPermissionPrompt(data); } else { prompt(this, this.getBrowser(), data); } break; } case "webrtc:StopRecording": this.stopRecording( aMessage.data.windowID, aMessage.data.mediaSource, aMessage.data.rawID ); break; case "webrtc:CancelRequest": { let browser = this.getBrowser(); // browser can be null when closing the window if (browser) { removePrompt(browser, aMessage.data); } break; } case "webrtc:UpdateIndicators": { let { data } = aMessage; data.documentURI = this.manager.documentURI?.spec; if (data.windowId) { if (!data.remove) { data.principal = this.manager.topWindowContext.documentPrincipal; } lazy.webrtcUI.streamAddedOrRemoved(this.browsingContext, data); } this.updateIndicators(data); break; } } } updateIndicators(aData) { let browsingContext = this.browsingContext; let state = lazy.webrtcUI.updateIndicators(browsingContext.top); let browser = this.getBrowser(); if (!browser) { return; } state.browsingContext = browsingContext; state.windowId = aData.windowId; let tabbrowser = browser.ownerGlobal.gBrowser; if (tabbrowser) { tabbrowser.updateBrowserSharing(browser, { webRTC: state, }); } } denyRequest(aRequest) { this.sendAsyncMessage("webrtc:Deny", { callID: aRequest.callID, windowID: aRequest.windowID, }); } // // Deny the request because the browser does not have access to the // camera or microphone due to OS security restrictions. The user may // have granted camera/microphone access to the site, but not have // allowed the browser access in OS settings. // denyRequestNoPermission(aRequest) { this.sendAsyncMessage("webrtc:Deny", { callID: aRequest.callID, windowID: aRequest.windowID, noOSPermission: true, }); } // // Check if we have permission to access the camera or screen-sharing and/or // microphone at the OS level. Triggers a request to access the device if access // is needed and the permission state has not yet been determined. // async checkOSPermission(camNeeded, micNeeded, scrNeeded) { // Don't trigger OS permission requests for fake devices. Fake devices don't // require OS permission and the dialogs are problematic in automated testing // (where fake devices are used) because they require user interaction. if ( !scrNeeded && Services.prefs.getBoolPref("media.navigator.streams.fake", false) ) { return true; } let camStatus = {}, micStatus = {}; if (camNeeded || micNeeded) { lazy.OSPermissions.getMediaCapturePermissionState(camStatus, micStatus); } if (camNeeded) { let camPermission = camStatus.value; let camAccessible = await this.checkAndGetOSPermission( camPermission, lazy.OSPermissions.requestVideoCapturePermission ); if (!camAccessible) { return false; } } if (micNeeded) { let micPermission = micStatus.value; let micAccessible = await this.checkAndGetOSPermission( micPermission, lazy.OSPermissions.requestAudioCapturePermission ); if (!micAccessible) { return false; } } let scrStatus = {}; if (scrNeeded) { lazy.OSPermissions.getScreenCapturePermissionState(scrStatus); if (scrStatus.value == lazy.OSPermissions.PERMISSION_STATE_DENIED) { lazy.OSPermissions.maybeRequestScreenCapturePermission(); return false; } } return true; } // // Given a device's permission, return true if the device is accessible. If // the device's permission is not yet determined, request access to the device. // |requestPermissionFunc| must return a promise that resolves with true // if the device is accessible and false otherwise. // async checkAndGetOSPermission(devicePermission, requestPermissionFunc) { if ( devicePermission == lazy.OSPermissions.PERMISSION_STATE_DENIED || devicePermission == lazy.OSPermissions.PERMISSION_STATE_RESTRICTED ) { return false; } if (devicePermission == lazy.OSPermissions.PERMISSION_STATE_NOTDETERMINED) { let deviceAllowed = await requestPermissionFunc(); if (!deviceAllowed) { return false; } } return true; } stopRecording(aOuterWindowId, aMediaSource, aRawId) { for (let { browsingContext, state } of lazy.webrtcUI._streams) { if (browsingContext == this.browsingContext) { let { principal } = state; for (let { mediaSource, rawId } of state.devices) { if (aRawId && (aRawId != rawId || aMediaSource != mediaSource)) { continue; } // Deactivate this device (no aRawId means all devices). this.deactivateDevicePerm( aOuterWindowId, mediaSource, rawId, principal ); } } } } /** * Add a device record to webrtcUI.activePerms, denoting a device as in use. * Important to call for permission grace periods to work correctly. */ activateDevicePerm(aOuterWindowId, aMediaSource, aId) { if (!lazy.webrtcUI.activePerms.has(this.manager.outerWindowId)) { lazy.webrtcUI.activePerms.set(this.manager.outerWindowId, new Map()); } lazy.webrtcUI.activePerms .get(this.manager.outerWindowId) .set(aOuterWindowId + aMediaSource + aId, aMediaSource); } /** * Remove a device record from webrtcUI.activePerms, denoting a device as * no longer in use by the site. Meaning: gUM requests for this device will * no longer be implicitly granted through the webrtcUI.activePerms mechanism. * * However, if webrtcUI.deviceGracePeriodTimeoutMs is defined, the implicit * grant is extended for an additional period of time through SitePermissions. */ deactivateDevicePerm( aOuterWindowId, aMediaSource, aId, aPermissionPrincipal ) { // If we don't have active permissions for the given window anymore don't // set a grace period. This happens if there has been a user revoke and // webrtcUI clears the permissions. if (!lazy.webrtcUI.activePerms.has(this.manager.outerWindowId)) { return; } let map = lazy.webrtcUI.activePerms.get(this.manager.outerWindowId); map.delete(aOuterWindowId + aMediaSource + aId); // Add a permission grace period for camera and microphone only if ( (aMediaSource != "camera" && aMediaSource != "microphone") || !this.browsingContext.top.embedderElement ) { return; } let gracePeriodMs = lazy.webrtcUI.deviceGracePeriodTimeoutMs; if (gracePeriodMs > 0) { // A grace period is extended (even past navigation) to this outer window // + origin + deviceId only. This avoids re-prompting without the user // having to persist permission to the site, in a common case of a web // conference asking them for the camera in a lobby page, before // navigating to the actual meeting room page. Does not survive tab close. // // Caution: since navigation causes deactivation, we may be in the middle // of one. We must pass in a principal & URI for SitePermissions to use // instead of browser.currentURI, because the latter may point to a new // page already, and we must not leak permission to unrelated pages. // let permissionName = [aMediaSource, aId].join("^"); lazy.SitePermissions.setForPrincipal( aPermissionPrincipal, permissionName, lazy.SitePermissions.ALLOW, lazy.SitePermissions.SCOPE_TEMPORARY, this.browsingContext.top.embedderElement, gracePeriodMs, aPermissionPrincipal.URI ); } } /** * Checks if the principal has sufficient permissions * to fulfill the given request. If the request can be * fulfilled, a message is sent to the child * signaling that WebRTC permissions were given and * this function will return true. */ checkRequestAllowed(aRequest, aPrincipal) { if (!aRequest.secure) { return false; } // Always prompt for screen sharing if (aRequest.sharingScreen) { return false; } let { callID, windowID, audioInputDevices, videoInputDevices, audioOutputDevices, hasInherentAudioConstraints, hasInherentVideoConstraints, audioOutputId, } = aRequest; if (audioOutputDevices?.length) { // Prompt if a specific device is not requested, available and allowed. let device = audioOutputDevices.find(({ id }) => id == audioOutputId); if ( !device || !lazy.SitePermissions.getForPrincipal( aPrincipal, ["speaker", device.id].join("^"), this.getBrowser() ).state == lazy.SitePermissions.ALLOW ) { return false; } this.sendAsyncMessage("webrtc:Allow", { callID, windowID, devices: [device.deviceIndex], }); return true; } let { perms } = Services; if ( perms.testExactPermissionFromPrincipal(aPrincipal, "MediaManagerVideo") ) { perms.removeFromPrincipal(aPrincipal, "MediaManagerVideo"); } // Don't use persistent permissions from the top-level principal // if we're in a cross-origin iframe and permission delegation is not // allowed, or when we're handling a potentially insecure third party // through a wildcard ("*") allow attribute. let limited = (aRequest.isThirdPartyOrigin && !aRequest.shouldDelegatePermission) || aRequest.secondOrigin; let map = lazy.webrtcUI.activePerms.get(this.manager.outerWindowId); // We consider a camera or mic active if it is active or was active within a // grace period of milliseconds ago. const isAllowed = ({ mediaSource, rawId }, permissionID) => map?.get(windowID + mediaSource + rawId) || (!limited && (lazy.SitePermissions.getForPrincipal(aPrincipal, permissionID).state == lazy.SitePermissions.ALLOW || lazy.SitePermissions.getForPrincipal( aPrincipal, [mediaSource, rawId].join("^"), this.getBrowser() ).state == lazy.SitePermissions.ALLOW)); let microphone; if (audioInputDevices.length) { for (let device of audioInputDevices) { if (isAllowed(device, "microphone")) { microphone = device; break; } if (hasInherentAudioConstraints) { // Inherent constraints suggest site is looking for a specific mic break; } // Some sites don't look too hard at what they get, and spam gUM without // adjusting what they ask for to match what they got last time. To keep // users in charge and reduce prompts, ignore other constraints by // returning the most-fit microphone a site already has access to. } if (!microphone) { return false; } } let camera; if (videoInputDevices.length) { for (let device of videoInputDevices) { if (isAllowed(device, "camera")) { camera = device; break; } if (hasInherentVideoConstraints) { // Inherent constraints suggest site is looking for a specific camera break; } // Some sites don't look too hard at what they get, and spam gUM without // adjusting what they ask for to match what they got last time. To keep // users in charge and reduce prompts, ignore other constraints by // returning the most-fit camera a site already has access to. } if (!camera) { return false; } } let devices = []; if (camera) { perms.addFromPrincipal( aPrincipal, "MediaManagerVideo", perms.ALLOW_ACTION, perms.EXPIRE_SESSION ); devices.push(camera.deviceIndex); this.activateDevicePerm(windowID, camera.mediaSource, camera.rawId); } if (microphone) { devices.push(microphone.deviceIndex); this.activateDevicePerm( windowID, microphone.mediaSource, microphone.rawId ); } this.checkOSPermission(!!camera, !!microphone, false).then( havePermission => { if (havePermission) { this.sendAsyncMessage("webrtc:Allow", { callID, windowID, devices }); } else { this.denyRequestNoPermission(aRequest); } } ); return true; } } function prompt(aActor, aBrowser, aRequest) { let { audioInputDevices, videoInputDevices, audioOutputDevices, sharingScreen, sharingAudio, requestTypes, } = aRequest; let principal = Services.scriptSecurityManager.createContentPrincipalFromOrigin( aRequest.origin ); // For add-on principals, we immediately check for permission instead // of waiting for the notification to focus. This allows for supporting // cases such as browserAction popups where no prompt is shown. if (principal.addonPolicy) { let isPopup = false; let isBackground = false; for (let view of principal.addonPolicy.extension.views) { if (view.viewType == "popup" && view.xulBrowser == aBrowser) { isPopup = true; } if (view.viewType == "background" && view.xulBrowser == aBrowser) { isBackground = true; } } // Recording from background pages is considered too sensitive and will // always be denied. if (isBackground) { aActor.denyRequest(aRequest); return; } // If the request comes from a popup, we don't want to show the prompt, // but we do want to allow the request if the user previously gave permission. if (isPopup) { if (!aActor.checkRequestAllowed(aRequest, principal, aBrowser)) { aActor.denyRequest(aRequest); } return; } } // If the user has already denied access once in this tab, // deny again without even showing the notification icon. for (const type of requestTypes) { const permissionID = type == "AudioCapture" ? "microphone" : type.toLowerCase(); if ( lazy.SitePermissions.getForPrincipal(principal, permissionID, aBrowser) .state == lazy.SitePermissions.BLOCK ) { aActor.denyRequest(aRequest); return; } } let chromeDoc = aBrowser.ownerDocument; const localization = new Localization( ["browser/webrtcIndicator.ftl", "branding/brand.ftl"], true ); /** @type {"Screen" | "Camera" | null} */ let reqVideoInput = null; if (videoInputDevices.length) { reqVideoInput = sharingScreen ? "Screen" : "Camera"; } /** @type {"AudioCapture" | "Microphone" | null} */ let reqAudioInput = null; if (audioInputDevices.length) { reqAudioInput = sharingAudio ? "AudioCapture" : "Microphone"; } const reqAudioOutput = !!audioOutputDevices.length; const stringId = getPromptMessageId( reqVideoInput, reqAudioInput, reqAudioOutput, !!aRequest.secondOrigin ); const message = localization.formatValueSync(stringId, { origin: "<>", thirdParty: "{}", }); let notification; // Used by action callbacks. const actionL10nIds = [{ id: "webrtc-action-allow" }]; let notificationSilencingEnabled = Services.prefs.getBoolPref( "privacy.webrtc.allowSilencingNotifications" ); const isNotNowLabelEnabled = allowedOrActiveCameraOrMicrophone(aBrowser); let secondaryActions = []; if (notificationSilencingEnabled && sharingScreen) { // We want to free up the checkbox at the bottom of the permission // panel for the notification silencing option, so we use a // different configuration for the permissions panel when // notification silencing is enabled. // If we have a (temporary) allow permission for some mic/cam device // we offer a 'Not now' label instead of 'Block'. const id = isNotNowLabelEnabled ? "webrtc-action-not-now" : "webrtc-action-block"; actionL10nIds.push({ id }, { id: "webrtc-action-always-block" }); secondaryActions = [ { callback(aState) { aActor.denyRequest(aRequest); if (!isNotNowLabelEnabled) { lazy.SitePermissions.setForPrincipal( principal, "screen", lazy.SitePermissions.BLOCK, lazy.SitePermissions.SCOPE_TEMPORARY, notification.browser ); } }, }, { callback(aState) { aActor.denyRequest(aRequest); lazy.SitePermissions.setForPrincipal( principal, "screen", lazy.SitePermissions.BLOCK, lazy.SitePermissions.SCOPE_PERSISTENT, notification.browser ); }, }, ]; } else { // We have a (temporary) allow permission for some device // hence we offer a 'Not now' label instead of 'Block'. const id = isNotNowLabelEnabled ? "webrtc-action-not-now" : "webrtc-action-block"; actionL10nIds.push({ id }); secondaryActions = [ { callback(aState) { aActor.denyRequest(aRequest); const isPersistent = aState?.checkboxChecked; // Choosing 'Not now' will not set a block permission // we just deny the request. This enables certain use cases // where sites want to switch devices, but users back out of the permission request // (See Bug 1609578). // Selecting 'Remember this decision' and clicking 'Not now' will set a persistent block if (!isPersistent && isNotNowLabelEnabled) { return; } // Denying a camera / microphone prompt means we set a temporary or // persistent permission block. There may still be active grace period // permissions at this point. We need to remove them. clearTemporaryGrants( notification.browser, reqVideoInput === "Camera", !!reqAudioInput ); const scope = isPersistent ? lazy.SitePermissions.SCOPE_PERSISTENT : lazy.SitePermissions.SCOPE_TEMPORARY; if (reqAudioInput) { lazy.SitePermissions.setForPrincipal( principal, "microphone", lazy.SitePermissions.BLOCK, scope, notification.browser ); } if (reqVideoInput) { lazy.SitePermissions.setForPrincipal( principal, sharingScreen ? "screen" : "camera", lazy.SitePermissions.BLOCK, scope, notification.browser ); } }, }, ]; } // The formatMessagesSync method returns an array of results // for each message that was requested, and for the ones with // attributes, returns an attributes array with objects like: // { name: "label", value: "somevalue" } const [mainMessage, ...secondaryMessages] = localization .formatMessagesSync(actionL10nIds) .map(msg => msg.attributes.reduce( (acc, { name, value }) => ({ ...acc, [name]: value }), {} ) ); const mainAction = { label: mainMessage.label, accessKey: mainMessage.accesskey, // The real callback will be set during the "showing" event. The // empty function here is so that PopupNotifications.show doesn't // reject the action. callback() {}, }; for (let i = 0; i < secondaryActions.length; ++i) { secondaryActions[i].label = secondaryMessages[i].label; secondaryActions[i].accessKey = secondaryMessages[i].accesskey; } let options = { name: lazy.webrtcUI.getHostOrExtensionName(principal.URI), persistent: true, hideClose: true, eventCallback(aTopic, aNewBrowser, isCancel) { if (aTopic == "swapping") { return true; } let doc = this.browser.ownerDocument; // Clean-up video streams of screensharing previews. if ( reqVideoInput !== "Screen" || aTopic == "dismissed" || aTopic == "removed" ) { let video = doc.getElementById("webRTC-previewVideo"); video.deviceId = null; // Abort previews still being started. if (video.stream) { video.stream.getTracks().forEach(t => t.stop()); video.stream = null; video.src = null; doc.getElementById("webRTC-preview").hidden = true; } let menupopup = doc.getElementById("webRTC-selectWindow-menupopup"); if (menupopup._commandEventListener) { menupopup.removeEventListener( "command", menupopup._commandEventListener ); menupopup._commandEventListener = null; } } // If the notification has been cancelled (e.g. due to entering full-screen), also cancel the webRTC request if (aTopic == "removed" && notification && isCancel) { aActor.denyRequest(aRequest); } if (aTopic != "showing") { return false; } // If BLOCK has been set persistently in the permission manager or has // been set on the tab, then it is handled synchronously before we add // the notification. // Handling of ALLOW is delayed until the popupshowing event, // to avoid granting permissions automatically to background tabs. if (aActor.checkRequestAllowed(aRequest, principal, aBrowser)) { this.remove(); return true; } function listDevices(menupopup, devices, labelID) { while (menupopup.lastChild) { menupopup.removeChild(menupopup.lastChild); } let menulist = menupopup.parentNode; // Removing the child nodes of the menupopup doesn't clear the value // attribute of the menulist. This can have unfortunate side effects // when the list is rebuilt with a different content, so we remove // the value attribute and unset the selectedItem explicitly. menulist.removeAttribute("value"); menulist.selectedItem = null; for (let device of devices) { let item = addDeviceToList( menupopup, device.name, device.deviceIndex ); if (device.id == aRequest.audioOutputId) { menulist.selectedItem = item; } } let label = doc.getElementById(labelID); if (devices.length == 1) { label.value = devices[0].name; label.hidden = false; menulist.hidden = true; } else { label.hidden = true; menulist.hidden = false; } } let notificationElement = doc.getElementById( "webRTC-shareDevices-notification" ); function checkDisabledWindowMenuItem() { let list = doc.getElementById("webRTC-selectWindow-menulist"); let item = list.selectedItem; if (!item || item.hasAttribute("disabled")) { notificationElement.setAttribute("invalidselection", "true"); } else { notificationElement.removeAttribute("invalidselection"); } } function listScreenShareDevices(menupopup, devices) { while (menupopup.lastChild) { menupopup.removeChild(menupopup.lastChild); } // Removing the child nodes of the menupopup doesn't clear the value // attribute of the menulist. This can have unfortunate side effects // when the list is rebuilt with a different content, so we remove // the value attribute and unset the selectedItem explicitly. menupopup.parentNode.removeAttribute("value"); menupopup.parentNode.selectedItem = null; // "Select a Window or Screen" is the default because we can't and don't // want to pick a 'default' window to share (Full screen is "scary"). addDeviceToList( menupopup, localization.formatValueSync("webrtc-pick-window-or-screen"), "-1" ); menupopup.appendChild(doc.createXULElement("menuseparator")); let isPipeWire = false; // Build the list of 'devices'. let monitorIndex = 1; for (let i = 0; i < devices.length; ++i) { let device = devices[i]; let type = device.mediaSource; let name; // Building screen list from available screens. if (type == "screen") { if (device.name == "Primary Monitor") { name = localization.formatValueSync("webrtc-share-entire-screen"); } else { name = localization.formatValueSync("webrtc-share-monitor", { monitorIndex, }); ++monitorIndex; } } else { name = device.name; // When we share content by PipeWire add only one item to the device // list. When it's selected PipeWire portal dialog is opened and // user confirms actual window/screen sharing there. // Don't mark it as scary as there's an extra confirmation step by // PipeWire portal dialog. if (name == PIPEWIRE_PORTAL_NAME && device.rawId == PIPEWIRE_ID) { isPipeWire = true; let item = addDeviceToList( menupopup, localization.formatValueSync("webrtc-share-pipe-wire-portal"), i, type ); item.deviceId = device.rawId; item.mediaSource = type; // In this case the OS sharing dialog will be the only option and // can be safely pre-selected. menupopup.parentNode.selectedItem = item; menupopup.parentNode.disabled = true; break; } if (type == "application") { // The application names returned by the platform are of the form: // \x1e const [count, appName] = name.split("\x1e"); name = localization.formatValueSync("webrtc-share-application", { appName, windowCount: parseInt(count), }); } } let item = addDeviceToList(menupopup, name, i, type); item.deviceId = device.rawId; item.mediaSource = type; if (device.scary) { item.scary = true; } } // Always re-select the "No " item. doc .getElementById("webRTC-selectWindow-menulist") .removeAttribute("value"); doc.getElementById("webRTC-all-windows-shared").hidden = true; menupopup._commandEventListener = event => { checkDisabledWindowMenuItem(); let video = doc.getElementById("webRTC-previewVideo"); if (video.stream) { video.stream.getTracks().forEach(t => t.stop()); video.stream = null; } const { deviceId, mediaSource, scary } = event.target; if (deviceId == undefined) { doc.getElementById("webRTC-preview").hidden = true; video.src = null; return; } let warning = doc.getElementById("webRTC-previewWarning"); let warningBox = doc.getElementById("webRTC-previewWarningBox"); warningBox.hidden = !scary; let chromeWin = doc.defaultView; if (scary) { const warnId = mediaSource == "screen" ? "webrtc-share-screen-warning" : "webrtc-share-browser-warning"; doc.l10n.setAttributes(warning, warnId); const learnMore = doc.getElementById( "webRTC-previewWarning-learnMore" ); const baseURL = Services.urlFormatter.formatURLPref( "app.support.baseURL" ); learnMore.setAttribute("href", baseURL + "screenshare-safety"); doc.l10n.setAttributes(learnMore, "webrtc-share-screen-learn-more"); // On Catalina, we don't want to blow our chance to show the // OS-level helper prompt to enable screen recording if the user // intends to reject anyway. OTOH showing it when they click Allow // is too late. A happy middle is to show it when the user makes a // choice in the picker. This already happens implicitly if the // user chooses "Entire desktop", as a side-effect of our preview, // we just need to also do it if they choose "Firefox". These are // the lone two options when permission is absent on Catalina. // Ironically, these are the two sources marked "scary" from a // web-sharing perspective, which is why this code resides here. // A restart doesn't appear to be necessary in spite of OS wording. let scrStatus = {}; lazy.OSPermissions.getScreenCapturePermissionState(scrStatus); if (scrStatus.value == lazy.OSPermissions.PERMISSION_STATE_DENIED) { lazy.OSPermissions.maybeRequestScreenCapturePermission(); } } let perms = Services.perms; let chromePrincipal = Services.scriptSecurityManager.getSystemPrincipal(); perms.addFromPrincipal( chromePrincipal, "MediaManagerVideo", perms.ALLOW_ACTION, perms.EXPIRE_SESSION ); if (!isPipeWire) { video.deviceId = deviceId; let constraints = { video: { mediaSource, deviceId: { exact: deviceId } }, }; chromeWin.navigator.mediaDevices.getUserMedia(constraints).then( stream => { if (video.deviceId != deviceId) { // The user has selected a different device or closed the panel // before getUserMedia finished. stream.getTracks().forEach(t => t.stop()); return; } video.srcObject = stream; video.stream = stream; doc.getElementById("webRTC-preview").hidden = false; video.onloadedmetadata = function(e) { video.play(); }; }, err => { if ( err.name == "OverconstrainedError" && err.constraint == "deviceId" ) { // Window has disappeared since enumeration, which can happen. // No preview for you. return; } console.error( `error in preview: ${err.message} ${err.constraint}` ); } ); } }; menupopup.addEventListener("command", menupopup._commandEventListener); } function addDeviceToList(menupopup, deviceName, deviceIndex, type) { let menuitem = doc.createXULElement("menuitem"); menuitem.setAttribute("value", deviceIndex); menuitem.setAttribute("label", deviceName); menuitem.setAttribute("tooltiptext", deviceName); if (type) { menuitem.setAttribute("devicetype", type); } if (deviceIndex == "-1") { menuitem.setAttribute("disabled", true); } menupopup.appendChild(menuitem); return menuitem; } doc.getElementById("webRTC-selectCamera").hidden = reqVideoInput !== "Camera"; doc.getElementById("webRTC-selectWindowOrScreen").hidden = reqVideoInput !== "Screen"; doc.getElementById("webRTC-selectMicrophone").hidden = reqAudioInput !== "Microphone"; doc.getElementById("webRTC-selectSpeaker").hidden = !reqAudioOutput; let camMenupopup = doc.getElementById("webRTC-selectCamera-menupopup"); let windowMenupopup = doc.getElementById("webRTC-selectWindow-menupopup"); let micMenupopup = doc.getElementById( "webRTC-selectMicrophone-menupopup" ); let speakerMenupopup = doc.getElementById( "webRTC-selectSpeaker-menupopup" ); let describedByIDs = ["webRTC-shareDevices-notification-description"]; if (sharingScreen) { listScreenShareDevices(windowMenupopup, videoInputDevices); checkDisabledWindowMenuItem(); } else { let labelID = "webRTC-selectCamera-single-device-label"; listDevices(camMenupopup, videoInputDevices, labelID); notificationElement.removeAttribute("invalidselection"); if (videoInputDevices.length == 1) { describedByIDs.push("webRTC-selectCamera-icon", labelID); } } if (!sharingAudio) { let labelID = "webRTC-selectMicrophone-single-device-label"; listDevices(micMenupopup, audioInputDevices, labelID); if (audioInputDevices.length == 1) { describedByIDs.push("webRTC-selectMicrophone-icon", labelID); } } let labelID = "webRTC-selectSpeaker-single-device-label"; listDevices(speakerMenupopup, audioOutputDevices, labelID); if (audioOutputDevices.length == 1) { describedByIDs.push("webRTC-selectSpeaker-icon", labelID); } // PopupNotifications knows to clear the aria-describedby attribute // when hiding, so we don't have to worry about cleaning it up ourselves. chromeDoc.defaultView.PopupNotifications.panel.setAttribute( "aria-describedby", describedByIDs.join(" ") ); this.mainAction.callback = async function(aState) { let remember = false; let silenceNotifications = false; if (notificationSilencingEnabled && sharingScreen) { silenceNotifications = aState && aState.checkboxChecked; } else { remember = aState && aState.checkboxChecked; } let allowedDevices = []; let perms = Services.perms; if (reqVideoInput) { let listId = sharingScreen ? "webRTC-selectWindow-menulist" : "webRTC-selectCamera-menulist"; let videoDeviceIndex = doc.getElementById(listId).value; let allowVideoDevice = videoDeviceIndex != "-1"; if (allowVideoDevice) { allowedDevices.push(videoDeviceIndex); // Session permission will be removed after use // (it's really one-shot, not for the entire session) perms.addFromPrincipal( principal, "MediaManagerVideo", perms.ALLOW_ACTION, perms.EXPIRE_SESSION ); let { mediaSource, rawId } = videoInputDevices.find( ({ deviceIndex }) => deviceIndex == videoDeviceIndex ); aActor.activateDevicePerm(aRequest.windowID, mediaSource, rawId); if (remember) { lazy.SitePermissions.setForPrincipal( principal, "camera", lazy.SitePermissions.ALLOW ); } } } if (reqAudioInput === "Microphone") { let audioDeviceIndex = doc.getElementById( "webRTC-selectMicrophone-menulist" ).value; let allowMic = audioDeviceIndex != "-1"; if (allowMic) { allowedDevices.push(audioDeviceIndex); let { mediaSource, rawId } = audioInputDevices.find( ({ deviceIndex }) => deviceIndex == audioDeviceIndex ); aActor.activateDevicePerm(aRequest.windowID, mediaSource, rawId); if (remember) { lazy.SitePermissions.setForPrincipal( principal, "microphone", lazy.SitePermissions.ALLOW ); } } } else if (reqAudioInput === "AudioCapture") { // Only one device possible for audio capture. allowedDevices.push(0); } if (reqAudioOutput) { let audioDeviceIndex = doc.getElementById( "webRTC-selectSpeaker-menulist" ).value; let allowSpeaker = audioDeviceIndex != "-1"; if (allowSpeaker) { allowedDevices.push(audioDeviceIndex); let { id } = audioOutputDevices.find( ({ deviceIndex }) => deviceIndex == audioDeviceIndex ); lazy.SitePermissions.setForPrincipal( principal, ["speaker", id].join("^"), lazy.SitePermissions.ALLOW ); } } if (!allowedDevices.length) { aActor.denyRequest(aRequest); return; } const camNeeded = reqVideoInput === "Camera"; const micNeeded = !!reqAudioInput; const scrNeeded = reqVideoInput === "Screen"; const havePermission = await aActor.checkOSPermission( camNeeded, micNeeded, scrNeeded ); if (!havePermission) { aActor.denyRequestNoPermission(aRequest); return; } aActor.sendAsyncMessage("webrtc:Allow", { callID: aRequest.callID, windowID: aRequest.windowID, devices: allowedDevices, suppressNotifications: silenceNotifications, }); }; // If we haven't handled the permission yet, we want to show the doorhanger. return false; }, }; function shouldShowAlwaysRemember() { // Don't offer "always remember" action in PB mode if (lazy.PrivateBrowsingUtils.isBrowserPrivate(aBrowser)) { return false; } // Don't offer "always remember" action in third party with no permission // delegation if (aRequest.isThirdPartyOrigin && !aRequest.shouldDelegatePermission) { return false; } // Don't offer "always remember" action in maybe unsafe permission // delegation if (aRequest.shouldDelegatePermission && aRequest.secondOrigin) { return false; } // "Always allow this speaker" not yet supported for // selectAudioOutput(). Bug 1712892 if (reqAudioOutput) { return false; } return true; } if (shouldShowAlwaysRemember()) { // Disable the permanent 'Allow' action if the connection isn't secure, or for // screen/audio sharing (because we can't guess which window the user wants to // share without prompting). Note that we never enter this block for private // browsing windows. let reason = ""; if (sharingScreen) { reason = "webrtc-reason-for-no-permanent-allow-screen"; } else if (sharingAudio) { reason = "webrtc-reason-for-no-permanent-allow-audio"; } else if (!aRequest.secure) { reason = "webrtc-reason-for-no-permanent-allow-insecure"; } options.checkbox = { label: localization.formatValueSync("webrtc-remember-allow-checkbox"), checked: principal.isAddonOrExpandedAddonPrincipal, checkedState: reason ? { disableMainAction: true, warningLabel: localization.formatValueSync(reason), } : undefined, }; } // If the notification silencing feature is enabled and we're sharing a // screen, then the checkbox for the permission panel is what controls // notification silencing. if (notificationSilencingEnabled && sharingScreen) { options.checkbox = { label: localization.formatValueSync("webrtc-mute-notifications-checkbox"), checked: false, checkedState: { disableMainAction: false, }, }; } let anchorId = "webRTC-shareDevices-notification-icon"; if (reqVideoInput === "Screen") { anchorId = "webRTC-shareScreen-notification-icon"; } else if (!reqVideoInput) { if (reqAudioInput && !reqAudioOutput) { anchorId = "webRTC-shareMicrophone-notification-icon"; } else if (!reqAudioInput && reqAudioOutput) { anchorId = "webRTC-shareSpeaker-notification-icon"; } } if (aRequest.secondOrigin) { options.secondName = lazy.webrtcUI.getHostOrExtensionName( null, aRequest.secondOrigin ); } notification = chromeDoc.defaultView.PopupNotifications.show( aBrowser, "webRTC-shareDevices", message, anchorId, mainAction, secondaryActions, options ); notification.callID = aRequest.callID; let schemeHistogram = Services.telemetry.getKeyedHistogramById( "PERMISSION_REQUEST_ORIGIN_SCHEME" ); let userInputHistogram = Services.telemetry.getKeyedHistogramById( "PERMISSION_REQUEST_HANDLING_USER_INPUT" ); let docURI = aRequest.documentURI; let scheme = 0; if (docURI.startsWith("https")) { scheme = 2; } else if (docURI.startsWith("http")) { scheme = 1; } for (let requestType of requestTypes) { if (requestType == "AudioCapture") { requestType = "Microphone"; } requestType = requestType.toLowerCase(); schemeHistogram.add(requestType, scheme); userInputHistogram.add(requestType, aRequest.isHandlingUserInput); } } /** * @param {"Screen" | "Camera" | null} reqVideoInput * @param {"AudioCapture" | "Microphone" | null} reqAudioInput * @param {boolean} reqAudioOutput * @param {boolean} delegation - Is the access delegated to a third party? * @returns {string} Localization message identifier */ function getPromptMessageId( reqVideoInput, reqAudioInput, reqAudioOutput, delegation ) { switch (reqVideoInput) { case "Camera": switch (reqAudioInput) { case "Microphone": return delegation ? "webrtc-allow-share-camera-and-microphone-unsafe-delegation" : "webrtc-allow-share-camera-and-microphone"; case "AudioCapture": return delegation ? "webrtc-allow-share-camera-and-audio-capture-unsafe-delegation" : "webrtc-allow-share-camera-and-audio-capture"; default: return delegation ? "webrtc-allow-share-camera-unsafe-delegation" : "webrtc-allow-share-camera"; } case "Screen": switch (reqAudioInput) { case "Microphone": return delegation ? "webrtc-allow-share-screen-and-microphone-unsafe-delegation" : "webrtc-allow-share-screen-and-microphone"; case "AudioCapture": return delegation ? "webrtc-allow-share-screen-and-audio-capture-unsafe-delegation" : "webrtc-allow-share-screen-and-audio-capture"; default: return delegation ? "webrtc-allow-share-screen-unsafe-delegation" : "webrtc-allow-share-screen"; } default: switch (reqAudioInput) { case "Microphone": return delegation ? "webrtc-allow-share-microphone-unsafe-delegation" : "webrtc-allow-share-microphone"; case "AudioCapture": return delegation ? "webrtc-allow-share-audio-capture-unsafe-delegation" : "webrtc-allow-share-audio-capture"; default: // This should be always true, if we've reached this far. if (reqAudioOutput) { return delegation ? "webrtc-allow-share-speaker-unsafe-delegation" : "webrtc-allow-share-speaker"; } return undefined; } } } /** * Checks whether we have a microphone/camera in use by checking the activePerms map * or if we have an allow permission for a microphone/camera in sitePermissions * @param {Browser} browser - Browser to find all active and allowed microphone and camera devices for * @return true if one of the above conditions is met */ function allowedOrActiveCameraOrMicrophone(browser) { // Do we have an allow permission for cam/mic in the permissions manager? if ( lazy.SitePermissions.getAllForBrowser(browser).some(perm => { return ( perm.state == lazy.SitePermissions.ALLOW && (perm.id.startsWith("camera") || perm.id.startsWith("microphone")) ); }) ) { // Return early, no need to check for active devices return true; } // Do we have an active device? return ( // Find all windowIDs that belong to our browsing contexts browser.browsingContext .getAllBrowsingContextsInSubtree() // Only keep the outerWindowIds .map(bc => bc.currentWindowGlobal?.outerWindowId) .filter(id => id != null) // We have an active device if one of our windowIds has a non empty map in the activePerms map // that includes one device of type "camera" or "microphone" .some(id => { let map = lazy.webrtcUI.activePerms.get(id); if (!map) { // This windowId has no active device return false; } // Let's see if one of the devices is a camera or a microphone let types = [...map.values()]; return types.includes("microphone") || types.includes("camera"); }) ); } function removePrompt(aBrowser, aCallId) { let chromeWin = aBrowser.ownerGlobal; let notification = chromeWin.PopupNotifications.getNotification( "webRTC-shareDevices", aBrowser ); if (notification && notification.callID == aCallId) { notification.remove(); } } /** * Clears temporary permission grants used for WebRTC device grace periods. * @param browser - Browser element to clear permissions for. * @param {boolean} clearCamera - Clear camera grants. * @param {boolean} clearMicrophone - Clear microphone grants. */ function clearTemporaryGrants(browser, clearCamera, clearMicrophone) { if (!clearCamera && !clearMicrophone) { // Nothing to clear. return; } let perms = lazy.SitePermissions.getAllForBrowser(browser); perms .filter(perm => { let [id, key] = perm.id.split(lazy.SitePermissions.PERM_KEY_DELIMITER); // We only want to clear WebRTC grace periods. These are temporary, device // specifc (double-keyed) microphone or camera permissions. return ( key && perm.state == lazy.SitePermissions.ALLOW && perm.scope == lazy.SitePermissions.SCOPE_TEMPORARY && ((clearCamera && id == "camera") || (clearMicrophone && id == "microphone")) ); }) .forEach(perm => lazy.SitePermissions.removeFromPrincipal(null, perm.id, browser) ); }