https://techsparx.com/software-development/security/csp-camera-microphone.html

[logo]

  * Blog
    News Doctor Who
  * Computers
    Chromebooks Hardware Apple Arduino Linux SBC's Linux
  * Privacy
    Social Media Warfare Spying
  * Software Development
    Spring Docker AWS Serverless Node.js
  * Catalog
    Learn Node.js Programming Learn Docker Arduino Raspberry Pi
  * About

[                    ]
Search
 An iframe from googlesyndication.com tries to access the Camera and
                             Microphone

 1. TechSparx
 2. Software Development
 3. Secure Software Development
 4. An iframe from googlesyndication.com tries to access the Camera
    and Microphone

By David Herron
; Date: Tue Dec 14 2021

Tags: Content Security Policy >>>>>>>> Feature Policy

The last thing we want is for an advertising network to access the
Camera or Microphone on our computer. But, while looking for
something else, I stumbled upon messages in the Safari JavaScript
console saying that an iframe loaded from 
safeframe.googlesyndication.com tried to do exactly that.

[adverts-ac]
[INS::INS]

In case you're not aware, there is extreme alarm about the
possibility that the web-camera or microphone built-in to laptops,
smart phones, and the like, could be surreptitiously turned on. What
if Big Brother were to turn on the camera, without turning on the
indicator light, and take pictures, or record audio from the built-in
microphone? There's a long list of possible nefarious results, and
this has to be seen as a serious privacy intrusion.

There is no legitimate purpose for an advertising network to access
either the camera or microphone. But, going by the messages I found
in the JavaScript console, that appears to be what an advertisement
tried to do.

Trying to search for information on googlesyndication connecting to
camera or microphone turns up results indicating that many believe
safeframe.googlesyndication.com is some kind of malware or virus
distribution server. That's a strange assumption to make, considering
the purpose for the GoogleSyndication.com domain.

Namely, that domain is affiliated with the Google Ads and Google
Adsense advertising networks. The purpose is delivering tailored
marketing (advertisements) to people. Whether you think this is
malware, I suppose, depends on how you consider Google Ads or Google
Adsense.

The GoogleSyndication.com domain is part of Google's legitimate ad
serving service. Given Google's policies around that service it is
extremely unlikely for malware to be distributed through that
particular service.

But... if that's the case, how can you explain these messages?

[access-cam]

These messages appeared in the JavaScript console on Safari while
browsing multiple pages on techsparx.com. At first I saw it on one
page, then checked other pages and got the same messages. This site
is using Ezoic's advertising system, which in turn uses Google Ad
Manager for some advertising.

The messages are somewhat clear -- that an <iframe> loading stuff
from safeframe.googlesyndication.com triggered a Feature Policy
check. Fortunately the policy checks for Camera and Microphone
failed. The same script, talon-1.0.37.js, also tried to enumerate
(list) the available devices, which failed.

  * URL: https://cdn.js7k.com/ix/talon-1.0.37.js

Fortunately the feature policy settings in Safari disallowed this. I
shudder what to think of what an advertiser would do after turning on
the Camera or Microphone on my laptop.

Browser settings to limit Camera or Microphone access

In Google Chrome we can allow or disallow websites to access the
Camera or Microphone. To take a look at this, take your mouse to the
upper-right-corner of the browser where there are three vertical
dots. This is the Chrome browser menu, and one of the choices is
Settings. In the Settings area, navigate to Privacy and Security,
then to Site Settings. There you'll find areas dedicated to Camera
and Microphone, and in both areas you can set a default policy, and
set which websites are allowed to access these devices.

In Firefox, open the Preferences dialog, then navigate to Privacy &
Security. You'll find Camera and Microphone areas in which you can
select websites that are allowed to access these devices.

In Safari, open the Preferences dialog, and navigate to Websites.
You'll find tabs for Camera and Microphone, each of which list
domains that are allowed (or not) to access these devices.

[safari-pol]

Notice that I have set one domain to Deny. That's because the scripts
in question came from that domain - https://cdn.js7k.com/ix/
talon-1.0.37.js.

What's blocking access is a Feature Policy

It is incumbent for website publishers to provide a safe browsing
experience to our visitors. Modern web standards have at least two
HTTP headers which affect security policies in the web browser.

  * The Content-Security-Policy header lets the website inform the
    web browser from which domains it should allow content to be
    loaded.
  * The Feature-Policy header lets the website inform the possible
    browser features that will be needed. This includes not just the
    Camera and Microphone but things like Accelerometers, Gyroscope,
    displaying in Fullscreen, and so forth.

What blocked the Camera and Microphone access in this case was
Feature Policy settings in Safari.

Apparently the Feature-Policy header is being renamed to
Permissions-Policy by the standards committee. For now, use
Feature-Policy.

Both policy headers are set in the HTTP response headers sent by your
web server. If you are not able to set HTTP headers, you can use a
header like this:

<meta http-equiv="Content-Security-Policy" content="default-src 'self'">

This header is to be put in the <head></head> section. The <meta
http-equiv> tag is to be interpreted as if the corresponding HTTP
header was set.

The (developer.mozilla.org) Mozilla Developer Network has examples of
using Feature-Policy in both HTTP headers and on <iframe> elements.
For iframes, the allow=... attribute sets the policy for it.

Unfortunately, the normal way Google Adsense and Google Ads
advertising gets into a web page does not allow website publishers to
control attributes on the <iframe>.

About the Author(s)

[headshot-n] David Herron : David Herron is a writer and software
engineer focusing on the wise use of technology. He is especially
interested in clean energy technologies like solar power, wind power,
and electric cars. David worked for nearly 30 years in Silicon Valley
on software ranging from electronic mail systems, to video streaming,
to the Java programming language, and has published several books on
Node.js programming and electric vehicles.
Why self-host web services for more control and lower cost than
cloud-based web services How and why to use Git Submodules
[39197_1387]
Ezoicreport this ad
Please enable JavaScript to view the (disqus.com) comments powered by
Disqus.

Subscribe via RSS

[rss_]
Kubernetes: Up and Running: Dive into the Future of Infrastructure 
Node.js Recipes: A Problem-Solution Approach (Expert's Voice in Web
Development) OdiySurveil(TM) 6Pcs Aluminum Chips VGA RAM Cooling
Cooler Heatsink for IC MOSFET SCR,DIY for Raspberry Pi RioRand LCD
Module for Arduino 20 x 4, White on Blue People think it's magic, we
call it engineering
[41SzsmJa9uL] [510Xc8ieh0L] 
[es-2015-16-17-promises-generators-and-async-await-2-1000] 
[create-ebook-cover]
BlairTG.com Refurbished Computer Sales
About TechSparx
                                  x
x