On 1/16/19 5:26 PM, Tom Ritter wrote:
I don't know for certain of any other situations where unusual codecs might be present and usable that allow fingerprinting or situations where common codecs would be missing or disabled (excepting, of course, about:config changes.) But it seems likely? If a user has installed a weird and unusual codec, the browser might still be able to play the video because the codec's on the system? Or perhaps a user is on an old Linux that has an old ffmpeg that doesn't support a newer codec?
Last I cared about this, firefox would happily use libgstreamer if it was installed as well, though my notes (read: code comments) indicate that upstream was deprecating support for this particular nightmare.
I solved the problem by explicitly whitelisting the codec providers that I bind mounted into the container (a handful of versions of libavcodec-ffmpeg and libavcodec), which likely wasn't perfect, but did solve the libgstreamer issue.
In addition to exposing codec information; it also exposes things like whether certain codecs are hardware accelerated or if a machine can handle high resolution video or not.
Force disable hardware acceleration? It's what I did.
- Tor can probably bundle ffmpeg in some capacity; but it can't
bundle WMF due to licensing.
Time to pay money to MPEG-LA to ship something actually useful.
Regards,