"To minimize the chance of users unwittingly allowing web pages to record speech without their knowledge, implementations must abort an active speech input session if the web page lost input focus to another window or to another tab within the same user agent."
Given this the actual Chrome implementation is wrong.
Hmm. Thinking about how I use google hangouts, this "standardized" behavior would actually make hangouts virtually useless. For example, I would be unable to share my screen in any meaningful fashion, or hold a conversation while multitasking (I program as part of a distributed team, so I do both frequently).
I'm not entirely sure this spec creates a useful environment for webapp developers; in fact this limitation would encourage non-standardized implementations so they could actually be used by normal people.
We're talking about the Speech API here, which isn't something an app like Hangouts would use. WebRTC, which is more suitable, does not have that restriction codified into its spec.
I agree with you, though the speech to text API is different than just microphone access. Something like video conferencing may not fall under the same rules.
One interesting thing is that web specs don't usually go into that much detail about UI, or at least that used to be the case. It was generally considered outside of the spec's purview, and it boxes in future browser interfaces that could be something very different than tabs and windows.
If you needed something, I would think something like there must be a visible notice to the user that their sound is being recorded, and if that notice becomes obscured, cease recording. But I'm not entirely sure it should be enforced on the spec level; instead it could have a non-normative security section and leave it up to the browsers to implement it well.
Indeed. Perhaps a reasonable compromise would be to have the permission apply to only the tab for which the user allowed it, and only as long as the tab remains pointed to that same domain. No inheriting permissions across child windows and no retaining the permission for that domain when future tabs are opened. Seems like it would reasonably fit the expectations of the user and I can't think it would put up unreasonable road blocks for developers.
But it looks like all four points of the security model (including #4 that you've quoted) were retained. Luckily, Chrome is more aggressive on popups than ever, so there's less likelihood, but it's not yet bulletproof.
I agree it looks like Chrome's implementation is not matching this spec. I'll look into if we can tighten this up.
In it, a Chrome representative said: "The security of our users is a top priority, and this feature was designed with security and privacy in mind. We've re-investigated and still believe there is no immediate threat, since a user must first enable speech recognition for each site that requests it. The feature is in compliance with the current W3C standard, and we continue to work on improvements."
Check the informationweek article for more, specifically around the errata to remove that sentence from the spec.
As a side note: is it a good thing that a window obtained through a Window.open() inherits the parent window's permissions?
Right now in Chrome permissions are enabled or disabled globally with exceptions based on hostname patterns. Adding a new option like "Allow popup window to inherit permissions" will solve the issue.
A well-hidden popup window can track your position all day using the geolocation API?
tl;dr: When you explicitly grant a website access to your microphone, the site may keep listening in a popunder window after you close the original tab.
If you are going to turn your browser into an operating system, you'd better get the security right -- and spend some time reflecting on the ongoing Java fiasco.
And maybe stop calling it a "browser" -- unless you mean that I'm now the one being browsed.
His demonstration video is suspect: he hides a popup of the same domain authorized to access the mic behind the main chrome window, which is convenient because in real life popup windows usually appear in the foreground and are quite noticeable, if they weren't blocked by chrome’s popup blocker all together.
He is misrepresenting his personal disagreements about UI/UX decisions as exploits or bugs in chrome which is disingenuous, especially as he edits his video to hide the safeguards (mainly the popup blocker).
Also the speech API does not send audio to authorized site only machine transcription of the audio which is not as pertinent, which also speaks to the misrepresentation of the author.
Did you see the same video as I? The current implementation is obviously very wrong. You press the button to stop the listening and the listening continues(!) and the browser doesn't even give any visual cue that it's still listening.
It's the Google answer that is suspect: 'there was an ongoing discussion within the Standards group, to agree on the correct behaviour - "Nothing is decided yet."' What, what?
I find it quite reasonable to expect that all window belonging to the same domain would stop listening to speech once the user indicates she wants recognition to stop. the main window, which started the speech recognition, indicated that the listening stopped, yet it continued on a spawned window. is it a bug? not sure. but it definitely could lead to some bad UX, even if the window isn't spawned as a fishy popunder.
I sure hope it's not a bug, I can imagine real world applications where this feature would be useful. There are two obvious issues here.
1. the video presented this in a very biased light the popup was already open and behind as the main window.
2. chrome should provide an indicator in a more global way to indicate a recording is taking place...
additionally, just like the camera on your computer lights up when it's on, it would make sense for your computer to have a similar light indicator for when the mic is on?
I've experienced pop-ups occurring that go behind. It's not like you don't notice it or anything though. Should this be considered a chrome security flaw? You did, after-all, grant privileges to that site. Revoke and report the site?
I would say yes. Pop-unders should be blocked, and modern browsers work pretty hard to, but it is often viewed as a "low priority" sec issue, and so workarounds are found, ignored, used in the wild, and patched. Here is one implementation, I have seen working versions up to Chrome ~30:
Another serious security issue is when the popunder waits for a while as the parent frame navigates itself to e.g. "java.com", then the child navigates the parent to a malicious drive-by download. This can make it appear to "spoof" a drive-by download. This attack vector has been known and ignored forever (I think Zalewski published about this years back). IE9 and 10 actually do a good job preventing this, but I know it works in most modern browsers.
"To minimize the chance of users unwittingly allowing web pages to record speech without their knowledge, implementations must abort an active speech input session if the web page lost input focus to another window or to another tab within the same user agent."
Given this the actual Chrome implementation is wrong.