Access to microphone is allowed even when user denies access to "video and microphone"
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Oxide |
Invalid
|
High
|
Unassigned | ||
webbrowser-app (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
The plain web browser can access the microphone when you deny the permission to access camera and microphone.
Tested / discovered with bq Aquaris E5 Ubuntu Edition, OTA-9.1 (vegeta, latest stable as of today).
How to Reproduce
----------------
1.) Go to e.g. https:/
2.) When prompted for "Allow this domain access the camera and microphone" choose "No"
3.) Click away the chat window (touch the down-arrow at right lower corner)
4.) Touch the screen to dismiss the "help text" ("Video off" is shown prominently)
5.) Touch the screen again to show the video controls, touch on the "microphone" icon; "Audio only" is shown on the screen
6.) Log in to the same URL from a PC (or another phone) to verify audio works
Other Details
-------------
Discussion on the mailing list:
https:/
information type: | Private Security → Public |
summary: |
- Access to camera is allowed even when user denies access to "video and - microphone" + Access to microphone is allowed even when user denies access to "video + and microphone" |
information type: | Public → Public Security |
From the ubuntu-phone mailing list (Subject: [Ubuntu-phone] Adjusting camera settings in a Web app):
"On Sat, 2016-03-05 at 11:54 +0100, Peter Bittner wrote:
>
> Side note: Interestingly, access to the microphone has always been
> possible, even without the "microphone" policy_group (I noticed this
> in version 0.1 of my web app [4]). Not sure whether this is a bug or
> a
> feature.
This is possibly a bug. pulseaudio is supposed to have trust-store integration these days, however, I'm not sure if camera is granted if that implies microphone. I see you filed the bug here:
https:/ /bugs.launchpad .net/ubuntu/ +source/ webbrowser- app/+bug/ 1553482
I'll add a comment to that bug."