EME Extension: HDCP Policy Check

[SingingTree]

Request for Mozilla Position on an Emerging Web Specification

• Specification Title: EME Extension: HDCP Policy Check
• Specification or proposal URL: https://github.com/WICG/hdcp-detection/blob/master/explainer.md
• Caniuse.com URL (optional):
• Bugzilla URL (optional): https://bugzilla.mozilla.org/show_bug.cgi?id=1404230
• Mozillians who can provide input (optional):

Other information

This check is currently implemented in Gecko, but is behind a pref. I'm seeking more input on what we'd like to see before exposing the functionality without a pref being set.

[dbaron]

w3ctag/design-reviews#323 might have a few useful thoughts here.

[dbaron]

How much will the results of this API vary between Firefox users, and what would cause the variation?

[hsivonen]

How much will the results of this API vary between Firefox users, and what would cause the variation?

Hmm. This API has become worse for fingerprinting since I last paid attention: Instead of exposing a boolean, there are now more outcomes. The explainer shows 10 distinct outcomes of which Firefox and Chromium presently know about 9.

The source of variation would be the combination of operating system, GPU driver(s), GPU(s), and screen(s). One might argue that WebGL already exposes a hopeless number of fingerprinting bits that correlate with these.

In the WICG issue, it's said: "Several open-access license servers exist for the purposes of testing and integration, and their CORS headers allow access from "*". So this becomes all sites running in a secure context. Any HTTPS-hosted site can do a license exchange with these open license servers."

So this means that even without this API, these fingerprinting bits are available to the Web, but this API makes the bits available with less effort and with out a (potentially detectable and blockable) HTTP round trip to an open-access license server.

I'll ping you off-GitHub about reducing the fingerprinting bits.