Patch Firefox (XUL) in-memory with Frida to remove restrictions on HTMLElement's captureStream.
Written for macOS 10.14 / Firefox 76 as an educational experiment, now non-functional and For Your Reference Only.
Want to fix this? Figure out how to change sandbox rules at runtime or something, idk. Maybe breakpoint Firefox at some specific state before content processes launch, then append to the sandbox profile string? Here's some interesting logs:
error 04:54:59.972604-0500 kernel Sandbox: plugin-container(4964) deny(1) mach-lookup re.frida.piped.4989
default 04:55:03.800789-0500 kernel Sandbox: 10 duplicate reports for plugin-container deny(1) mach-lookup re.frida.piped.4989
Interestingly enough, the main process is privileged enough for the Frida agent to do its IPC without being explicitly sandbox allowlisted. Unfortunately, the interesting codepath that we target does not run in the main process.
On recent macOS builds, it's also necessary to reconfigure SIP to allow debugging, as Firefox is
notarized and thus doesn't have the entitlement com.apple.security.get-task-allow.
csrutil enable --without debugYou didn't want to turn SIP all the way off, did you? :P
Once you do that, there's a handy demo that you can paste into devtools. By the way, MediaStream captures on Firefox are very low-res and basically useless.
Happy debugging!