[Bug?] Audio API blocking doesn't work

[chiraag-nataraj]

Easiest way to block it is to disable the creation of AudioContext (currently I'm doing this through a userscript), but I guess you already know how to do this stuff 😜

Anyway, thanks for the awesome addon!

[chiraag-nataraj]

Hmmm. Seems to already be a part of the addon but doesn't actually block anything. For example, I used https://browserleaks.com/javascript and it had full access to the Audio API even though Web Audio was checked on the blocklist.

[pes10k]

@chiraag-nataraj Thanks for the issue report, but this is not a bug (or, at least, not in scope for what the extension is aiming for). I see how its not obvious why though!

The extension blocks all methods in the Web API, but doesn't attempt to block property accesses (for a whole bunch of reasons I can go into if you're interested). So the page you linked to is able to access some of the properties on AudioContext (e.g. sampleRate, state), and AudioDestinationNode (e.g. maxChannelCount, numberOfInputs, etc), but isn't able to access information about (for example) AnalyserNode.frequencyBinCount, because you need to call AudioContext.prototype.createAnalyser() to get an analyzer node, and the extension blocks the createAnalyser method call.

Hope that explains the issue. I'm going to close the bug for now, but if you're curious on why the extension works this way, let me know and I'm very happy to explain more :)

[chiraag-nataraj]

Huh...I see. Why not block the property accesses? Does it break certain websites or something? I'm pretty curious :grinning:

[pes10k]

There are a couple of reasons:

1. Some methods return objects that don't inherit from a global structure (ie they just return Objects). For these cases, there isn't a way to protect property look ups on those objects. So it because easier to say "the extension blocks methods but not properties" instead of "the extension blocks methods and some properties, but not [long list of cases]". So, it was easier to explain the limits of the extension.

2. Most of the scary / powerful / potentially harmful stuff in the Web API is behind methods, so number-1 didn't seem like much of a downside.

3. At first I couldn't think of ways of blocking property lookups on non-global objects. I think though there might be a way (ie in the AudioContext.sampleRate case, creating a getter and setter on AudioContext.sampleRate). Might be worth checking out, but…

4. For most of the Web API standards, when I was going through and documenting the end points / features, I only included methods. So, adding properties back in would take a ton of work (and time is limited, of course:)

Hope that explains a bit. I like the idea you have though, and it'd be a good idea to revisit soon. I'll re-title and re-open the bug!

[pes10k]

Actually, i think that'll be confusing, i'll just create a new bug :) #67