Bromite: Widevine CDM provisioning request to googleapis.com
Bromite version
Version: 79.0.3945.123
Arch: arm64
Android version: 8.0
Device model: Poco F1
Is this bug about the SystemWebView?
No
Is the bug reproducible with latest version?
Yes
Can the bug be reproduced with corresponding Chromium version?
Yes, but won't complain chrome targeting google APIs
Is the bug a crash?
No
Describe the bug
Snif network traffic from the acces point on the device where Bromite is installed (by using Wireshark), and notice calls to
www.googleapis.com
Steps to reproduce the bug
Start Wireshark on Bromite access point.
Just run Bromite for the first time (or after cleaning all Storage cache) without browsing wait a minute.
Read Wireshark traces statistics and notice calls to Google FQDN
www.googleapis.com
Expected behavior
No call to any Google FQDN.
Screenshots
sooorajjj
All 14 comments
Is there anything else installed on that device? I presume it's another background process calling the Google API 🤔
HigH-HawK
on 21 Jan 2020
@sooorajjj please inspect the content of the request/response, I doubt this is sourced from Bromite
csagan5
on 21 Jan 2020
Here is another test i did with NetGuard app
Just to be sure its not from any other services running on my devices .
Here is how to reproduce the issue fresh install bromite app and wait 1 minute .
sooorajjj
on 22 Jan 2020
I tried this myself but could not reproduce the Google access. The only thing appearing is the bromite.org URL. What homepage do you open when opening Bromite the first time?
HigH-HawK
on 22 Jan 2020
@sooorajjj good, that reduces the scope. Which icons are on your New Tab Page? The requests should be only about those favicons.
The googleapis request might be about something else which did not get blocked, but to sort it out we need the full request and response as per previous comment.
See also this comment.
csagan5
on 22 Jan 2020
I analyzed Bromite's network traffic and noticed that, after about 1 minute after its first start, two POST requests are made to the www.googleapis.com server. Below are listed the information about the requests made and their respective responses.
URL: (First request)
https://www.googleapis.com/certificateprovisioning/v1/devicecertificates/create?key=AIzaSyB-5OLKTx2iU5mko18DfdwK5611JIjbUhE&signedRequest=CpwBCkwIABJIAAAAAgAAEV2MzJHgSmHCbKbxHuc92bLVn1o1rKpIEmigmQjF4GHijQ2TPYBOBlZDy-E4mfo7_nFJJUAxK3v1hoSOzxuxvyfZEgROM9lcGgQIABIAIkBuS1NNa2JGYWZuSUl7Y2xFTXtSS3VCRHpCYVRRZFRVAENBMTI3QUFEQUVEQkM3MkQ4Mzk4Qjg1QjZERjhENjU3EiDo_lja9XRGsBGRKNLh6JS_imuwpAzNVrt2D08geUDRWhgC
Client request:
POST /certificateprovisioning/v1/devicecertificates/create?key=AIzaSyB-5OLKTx2iU5mko18DfdwK5611JIjbUhE&signedRequest=CpwBCkwIABJIAAAAAgAAEV2MzJHgSmHCbKbxHuc92bLVn1o1rKpIEmigmQjF4GHijQ2TPYBOBlZDy-E4mfo7_nFJJUAxK3v1hoSOzxuxvyfZEgROM9lcGgQIABIAIkBuS1NNa2JGYWZuSUl7Y2xFTXtSS3VCRHpCYVRRZFRVAENBMTI3QUFEQUVEQkM3MkQ4Mzk4Qjg1QjZERjhENjU3EiDo_lja9XRGsBGRKNLh6JS_imuwpAzNVrt2D08geUDRWhgC h2
Host: www.googleapis.com
Content-Length: 0
User-Agent: Widevine CDM v1.0
Content-Type: application/json
Sec-Fetch-Site: none
Sec-Fetch-Mode: no-cors
Accept-Encoding: gzip, deflate, br
Server response:
h2 200
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Fri, 24 Jan 2020 03:06:40 GMT
Etag: "MDgIQVwyjNj_tJB_4VOgo5Ibzyk/mC8ppArAMIBxLaap9LYZ1lfM7rQ"
Vary: Origin
Vary: X-Origin
Content-Type: application/json; charset=UTF-8
X-Content-Type-Options: nosniff
Content-Encoding: gzip
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Content-Length: 2695
Server: GSE
{
"kind": "certificateprovisioning#certificateProvisioningResponse",
"signedResponse": "CtsTCtAJCkvX77DVtWXoXzDr2RiaD_YOF2s5XbHpH8e7LQL09kzBPS0FeYVt_7-y6Pc26kCk3KTo5_ZSVRYw5kl9F3Tu3DQgolErSlKo2Ea_O5uuDnHO8gleF8JfHhYtfoiAwwBJY4dJn-58rUqUmiY18Y_hZhYme2yRhZksGeQ85kQTDagl4FxGzJwkznmVsM5VEOfY9gqBTzRCtaZQSbr64eOiOMj3I4pBZ0E3XNXCEgR8usXPn_9B99FZ5YfowqvpN3yjOCbfxZ_lDSOF_Uzainpbe0-ioAfMF5-EZsjfi6B29lYhmyf_lHXXwfc5AscQhzuuNyatI0zPjACXbTyGn_3fUYnrQzsEUcQpz2omIDzDYlPP8Yg80MSLUVlKitsY_b9bTtw3f8zLOPfZD7ceB3aDoIE_UQ7zGOJyvlTVXH7Jvf2NQTnGLxW5pOdjYqym5BPfIPIa-PzNiwayhkn-2qrGDLtWHK-YDsXpRFIbQ2ZSo7IVuRztMlsAGSjpEJjThXGKENlw5GkBnOK2H7INJ11Y7gkj8dnRShGBRmoWorsNRgYjjh-qtIPF9haYYdIk7NdncUpCkOCHGF9EIrDSiuUynLAngRjwJ9Jo7pqR53iDcyWYKeiwZ3-iruanZ-bUukr_qT-L6FSFhERzatOTa1-aqpVWcxOSBA0QoihHQtA8ErkV93j6F9zk3jYiXIDQV9Ean-Lo9HX5zHvh3hTFENNRScj8Kqgf2u7J7e-p6Q8IJOidtNeBW7AegqR2EOzE7Q0294bL587xoWfxkxnvx_mjyOZchhWokKTgZrezP9qtchgNkQUYml3alUWgSQ3jfUWSGqXdIJ4UQBX312q3JVm3iOCXjmohcja3Bqtjz-WZpVRyJ8Qxw8hxGVzJ-4bN8gVM7tEX9fzKUcbYYL54QRz1J93LPDt0TAMRXfBW_JjgKGs7IcxoNIqb9kQOyB6oQ85JyQzcUvoH7Irl3iDe65jP2jtvthdt9Glryy7EMZcdpcFRHkvC9XMgFV40Lwxobm4wfzGXNv7qbTJHx29zrTRA8SB7pKD2_XxQJFs-Qv_yXEFQCNzWufXeM_vXRMH0r99JP0THXCY4Mx_crHdPHZfE2D4kUeJOCuOBL0eLW4W6XeHycNkZUB4cI8a8h2RvmIc-frqqJ3Pv3VR7QN7CFS3Up11GbGBy1aYaFj8J0D7p2YZowQT3TLPHch9BYSQ-dYZtUBTZSIDdQvt0kIMn9tY06_fDvTTdu6lXean-54g0cryxizEzUzxv_eCKAz1clM9JViCqxHbX39LdLOQeL7YKLwto0Zl6jV3V_oSjElG7BBHANlktci-Bcnadmpp4pnylNBgnzX77BR-iCS3Se2FyiFRFrBF1VhJYDnBA9lBE3WURTSzEx9kR5e4-CAUy4HOx7kdMhZYZsi1MSKDjy-WfYPqZAnYZjGY_r55qxMmdXJpOyoBxsbANS7BPbO_WaTKowBIdNx9KdsiwkmOePro78cgXB0KESt7lYYkX28YeCLS4A-oEnxOtM3nDYuKpyYTrZTeXB1TV4GlgzvOxK-SAA7W7hj3rfUe2JixrH8Yr5mGw76srfACP6JczW9QZ_1ssOHFTy02pMMWKXe09nsqzjsSaAa0oqLUP7P8VpxBkqUESEE5TKmu9T3cji5NDRcRw43ga7QkKsAIIAhIQHN8SLv6znWQ-b_rcCyQEnhjAvqnxBSKOAjCCAQoCggEBAM1OTlhkJDvBelQ2PliE_InBdhFhznROeS9Ki7hcF1bDonH_pNQvc89pekeSE5EBRJj8LdS2n5wZ9IutY4s3LXGzWswObwm_378FVMl3rCLpZQAdXJ16BmFtTJPHT_5I3tXgXa9reNXnhC638E_049BQnAVhcZqIbvQmuUGmf5OQ4sHyYmoQ3px8tJE_ax6bA_nr51KaimO1zZ3fIZVISVPOsQEQSbP7D7aLDRBsT__LTI0P9VXwlfOS9ixFlfjNIBYpT7TjLjMAM1rrBamtLC35dAY9EonuQHzKp88KlkHmAjqDP5F0-Pmb8RNY5DIwotTCqX32GbHTpF1NzKSaCGkCAwEAASjdIkgBEoACvPOk6yz1Ulz9Trh8geCxe2iwjitx24O1cyO3IFfaPKzn-104ufZu7GgRVq6YdrKnw2AXfIy0DULdmq6zMKQyMic4kkX2FE2wpcmnqTGqbPW9Sv3uRjRaDbyoTHoaju6XfEYvhOfmU_O2JiFyZBnr171gKqDz_F_j0oI_nh9u5FklH24ZKzV8Ry7Y4XbMXgtjzgzmkPuqXhtawi3awvcI12VShWta18J_LgF_SUiJH0fotVpHGCN3bq2u8hCCWUbXyGi3da2hhE8VrLJQdO48Wnl1w5Oiaai1QpMjQ0z5WQdlb8cs-MGBb-QtI0uetYH7BwMvqvRO0-osM2Sc29A5uxq0BQquAggBEhAX3Lwn0RNB1JcTVEKhiNqmGI-JgJEFIo4CMIIBCgKCAQEA0hrddUnSdIs0lFJqnD-4bHk3a76MiFb2AbjRBGH3esxzMbEN6_NlEgBWzbVmLSWQe3TxI4Lw9KDKR17qlWKBXGIo9vaYraJ4ediJDyotlqdG3e9TFjAcADUZwqIlA1RnQWn92kHOFNPFK-p6IDhFFQEtWVKziqGeFehWPMeqqBwhIogKo3CmT-ojxT-4OsPbV1MhRzCjSeB_ZL8yvn6tMNAmEq8RC7RPsI4dMIFzsyfvZNQMQWOVQrLRpzyYpmB-xsaDtROlhHBRQQbvh64ee5xpW5OhBN90N7_EFneJdIpD7SCPLB-nEHk8aIiF6ucyqL_fW0I7I9dbiPwK3I-9tQIDAQABKN0iEoADctL7iAmLo7hba0NU4Ddn2-LXckZj-wpiq_dwTqkQ4B8iE0nuFtAVLHaThAUM54UgZowGzP09eJrz62n_FjYVzWCRaf2-LhWgKdNK0mBWJbyBhEydHizgUZA583ma2u-GZB4gsDPcFt8uW5oaKkF7i7O3pNmtGpk2dEhYfaE93gWj7Z1i-kIHiXO0qkAmPXv6I_EHLpTN8yP6RfeECII-VcT0xccjgZz0TObZjlDATsJNk7GquId7kQi5yjkTCOGjZF67Dnysu0C1RRVg7XmUIYc7-1q7kX-mDbnHfLhgavfjFCYm9epA5cuKoInY59apNhk1xCakRQ6ovC5XKQ078KCWKZHSqRt1L8gMPn5OVQM9cclLMlMHpogV8CZEj1aidBzr78GOjBQvX2K_qmeikVF93pgtjNWp3249Opm4BvbWCZE1jFvncRfU8xaPM0jpoEhTn4kvTXgxUseoCVIkqla3jFz3vRqxsXnAwNEePDushMFBoAGRMh46zBckLmg8IgROM9lcEiCjMY4mUAUCWwagIkrNolslGq5M7OfbMZCWWj3NvGkGNQ=="
}
URL: (Second request)
https://www.googleapis.com/certificateprovisioning/v1/devicecertificates/create?key=AIzaSyB-5OLKTx2iU5mko18DfdwK5611JIjbUhE&signedRequest=CpwBCkwIABJIAAAAAgAAEV2MzJHgSmHCbKbxHuc92bLVn1o1rKpIEmigmQjF4GHijQ2TPYBOBlZDy-E4mfo7_nFJJUAxK3v1hoSOzxuxvyfZEgSCQ7v3GgQIABIAIkBuS1NNa2JGYWZuSUl7Y2xFTXtSS3VCRHpCYVRRZFRVADU4MUFGQ0NCNzhBMjI2MDA1OTUyODIyQ0U0NzQ5QzNBEiDJkhx1Sy6FUJlhFMW0e91yBNb4PuUj21F1NfrSK41dSBgC
Client request:
POST /certificateprovisioning/v1/devicecertificates/create?key=AIzaSyB-5OLKTx2iU5mko18DfdwK5611JIjbUhE&signedRequest=CpwBCkwIABJIAAAAAgAAEV2MzJHgSmHCbKbxHuc92bLVn1o1rKpIEmigmQjF4GHijQ2TPYBOBlZDy-E4mfo7_nFJJUAxK3v1hoSOzxuxvyfZEgSCQ7v3GgQIABIAIkBuS1NNa2JGYWZuSUl7Y2xFTXtSS3VCRHpCYVRRZFRVADU4MUFGQ0NCNzhBMjI2MDA1OTUyODIyQ0U0NzQ5QzNBEiDJkhx1Sy6FUJlhFMW0e91yBNb4PuUj21F1NfrSK41dSBgC h2
Host: www.googleapis.com
Content-Length: 0
User-Agent: Widevine CDM v1.0
Content-Type: application/json
Sec-Fetch-Site: none
Sec-Fetch-Mode: no-cors
Accept-Encoding: gzip, deflate, br
Server response:
h2 200
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Fri, 24 Jan 2020 03:06:40 GMT
Etag: "MDgIQVwyjNj_tJB_4VOgo5Ibzyk/MIjs71ZGR7Sf6e6PC4ex-Uoo--4"
Vary: Origin
Content-Encoding: gzip
Content-Type: application/json; charset=UTF-8
Vary: X-Origin
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Content-Length: 2697
{
"kind": "certificateprovisioning#certificateProvisioningResponse",
"signedResponse": "CtsTCtAJfZfNPOFDI03Ga9Jsm49g_z28VrN9bBeQj3pgYzKQ1FtuF189Nkg78b0JcW-u60JAJvhtDInKiKHyzOWp5JQjFkSlMl5YVgXQO_qG6EuzxVJfXPRkhVI7oI8mMtZApEJzFG4uHcNt-oHvT-0rzhEaCCLOgZVahMK2nCroo-abfYqrUiMVpBjjQ4ojavbhTAahdpUJABEHJcrR56Y2oZx1aZNoAa7Do9_Lam5OK_BfzTnH6_zysV1cA2fIRsxRXwAATY80wP1f-ZkrjAoI4UUfd7S0uuO3ru89TxyzuEAc4aSfB0D2auWAXyOlJwkRjSAZ4ZBAGD65Eq-VIYYev-Ifs8RmlrAa44meqGmcLuNxGXp7xLwvaoMmo9Y7tOcWCj-Avivrl1VjZHdLLfpxtLCXTCmPXgvcadxUDHcCDTX0JvxhuENqMkcqOZReyN7g7M5cmA_qoaYBYxEfwzfx27CEUkb2Pbrnn86CKI4VK6oax5pRqzh0CfIlRVymv3toeGkKfIrA1mZjlfWFiWUbMbwHcFPsyLsPucB3vk1CbiSamSQPryv6XoxkCp-0j1sPvHkCcyW9Aya7aA3aMIDnmqlP-IWSGNVNgD5IWu9uy6ntBn_9zIEYZaIKSZ8SUVQEUySpwzVecfF3RTF12nkg4yTAnoNA42W0UiJaszvbQAHnTe2p8lmwFCWT4icM1yZb9KV4ONlfXFWdI1--JfDdEDUEmnLr9zxf6CRzooWxxv-82JZUGy3Kz4c0jmt0P_WI25PGJ3q5OUp2JXNJ-_dNBAaJCez9THqcb4LJeyeqTqG8jUSGMY8DHttSlEeleIJUFMgtUrr20G3R6O_LY90Q4dWPGfp7ITjiuWUDhfFnhdb2MHaqoYce7nvbf7H2CLZrAMXlkCxXsAq4gytupKicSy_gtYwfoAf9P8Dn_gkdbPXsOFq1037Zfop9oCwdo_hXjMBhXuIhFlaeUuZ-JEjgZF-b_Vb5Tq_8kwKWWOtb7t94q9WxbWjt_Cmb6XEsutWmXPDNTePgrQv-JTz7oENNO2k_k8tdc0Q1s5NCnLhkod7XgIutEn06Q0Lm2wGewbw0uKx9U-n0WvBIvFw82CyLdcocgkd0jTCsuDWFOYhC6p3FJSVPqk5i1qYEzbgk9GxAH8L51yMib2ex5U2Yh-Am7tUEpWEaZL9wsD2HXcYWTezpBet6Mewu56IlzRySYlfGyLWhVrC2tz-2JZ6lc1oWbTem9IU2-UcC0aFw_tEyYSwKYBmznw_iTpWfkVw0iSDnylkLbF6pfDS0WXdcDto3vbsrmaVzXIbszBHc2Alf_2MRdwjJGwh_ACtSQkpiDAArvAnMOgHirHsZyUssjx2pBxCLYMtFAItM2ZeIIzB37juT8DyD-RoTVT-8XwLbMGqIy1cTKJeVpW6iQSSeW8kPyMOQHMKbWrNmYI-eQ7XgtP_CF3JcPzRBrrVydSsCmQg00hyf3cBN9zvAqZbwpNVQVse4FJ8DMMhktDgcy-Iy9X3uZJQXmO2_PIKMZG3eWzMLTC2MrbIIwKedKhsaOJk9J1DLS3CCzqv0OHw_3_QEIea-iH1XoaNaOHxgH6bBba5NH0WPvkbWfCDxbUAUzPSgHNhJJKEu8-7merqW-jZM6hWYwikSEOR-EbdzzaizuzJfxUx-lOga7QkKsAIIAhIQEQvYVI73DWtj9EY6aChRgxjAvqnxBSKOAjCCAQoCggEBAKgqImFtwcu2PTiOZdw8cQaGOAzaQUkEBh8kO0PfpdG0w1vQpk_vt4azXE67dtcKY9op0Hn6jROU-j89cYMeYK1dJfFc9X7pNPyZfL9bz0--OS24ncPBWHZmKqUmK4zfxtgl0i_J7vi5EybiiWTPoLbJWTFwH7QMfQtsd9DmGt1MBuaRMWzFQVE9z5QmiDGPptNFDaDX1FZIxVXarHoHpZuMvyuuHq8Vog9i0ijMoIgY5kUmQUuddiodr6vt6MmRw8z5QzrdYXQ_MI54LPBZeZiEc-Ek9L50d7SCa-BhESgGqBeXc_kSl030MWxy79EeUi2J3V5b3wZARG_pDZa-umkCAwEAASjdIkgBEoACQ9d2R-ioPJll4POUNNaT370wt02MX9KKBaxrUJTnANdlcs-Gr2t7_anOsGUZR3T-VVOSUQ7Zl1N9YiAtSNTgG9-Om_nO73AurKSFOWwx_Vh0Z2EooOZyhZjP7ny3FY85K6wsmFza6WJTnlwVSvJpjVUKliLxFKUtTRJBNp1J8TST6Q1HVcHqlSOHR7d9XDr7FlepILiCuLveqJpvN1526Xx3L4Rh-JpqnqYVFopo8G56l8RCeYm2PEeWEMJLrv8AyPk6HvtwBwQDrFtdJ9TfnRHgM-dnjEVl3-tnG47OjThCS3V4aeF82r6zEjME_Ybez7OeCFKfzqcKZbCjV15sRBq0BQquAggBEhAX3Lwn0RNB1JcTVEKhiNqmGI-JgJEFIo4CMIIBCgKCAQEA0hrddUnSdIs0lFJqnD-4bHk3a76MiFb2AbjRBGH3esxzMbEN6_NlEgBWzbVmLSWQe3TxI4Lw9KDKR17qlWKBXGIo9vaYraJ4ediJDyotlqdG3e9TFjAcADUZwqIlA1RnQWn92kHOFNPFK-p6IDhFFQEtWVKziqGeFehWPMeqqBwhIogKo3CmT-ojxT-4OsPbV1MhRzCjSeB_ZL8yvn6tMNAmEq8RC7RPsI4dMIFzsyfvZNQMQWOVQrLRpzyYpmB-xsaDtROlhHBRQQbvh64ee5xpW5OhBN90N7_EFneJdIpD7SCPLB-nEHk8aIiF6ucyqL_fW0I7I9dbiPwK3I-9tQIDAQABKN0iEoADctL7iAmLo7hba0NU4Ddn2-LXckZj-wpiq_dwTqkQ4B8iE0nuFtAVLHaThAUM54UgZowGzP09eJrz62n_FjYVzWCRaf2-LhWgKdNK0mBWJbyBhEydHizgUZA583ma2u-GZB4gsDPcFt8uW5oaKkF7i7O3pNmtGpk2dEhYfaE93gWj7Z1i-kIHiXO0qkAmPXv6I_EHLpTN8yP6RfeECII-VcT0xccjgZz0TObZjlDATsJNk7GquId7kQi5yjkTCOGjZF67Dnysu0C1RRVg7XmUIYc7-1q7kX-mDbnHfLhgavfjFCYm9epA5cuKoInY59apNhk1xCakRQ6ovC5XKQ078KCWKZHSqRt1L8gMPn5OVQM9cclLMlMHpogV8CZEj1aidBzr78GOjBQvX2K_qmeikVF93pgtjNWp3249Opm4BvbWCZE1jFvncRfU8xaPM0jpoEhTn4kvTXgxUseoCVIkqla3jFz3vRqxsXnAwNEePDushMFBoAGRMh46zBckLmg8IgSCQ7v3EiC7RTrCb5y_Y0JhX15RLI6vseYxurbXyd1OICt2LOOPqw=="
}
SnwMds
on 24 Jan 2020
Great job @SnwMds! The request appears to be done here: https://github.com/chromium/chromium/blob/79.0.3945.123/content/browser/media/url_provision_fetcher.cc
I am now looking further into this.
The network traffic annotation provides details about this request, trigger and purpose:
semantics {
sender: "Content Decryption Module"
description:
"For a Content Decryption Module (CDM) to obtain origin-specific "
"identifiers from an individualization or provisioning server. See "
"https://w3c.github.io/encrypted-media/#direct-individualization."
trigger:
"During protected content playback, if the CDM hasn’t been "
"provisioned yet, it may trigger a provision request which will be "
"sent to a provisioning server."
data:
"Opaque provision request generated by the CDM. It may contain "
"distinctive identifiers (see "
"https://w3c.github.io/encrypted-media/#distinctive-identifier) "
"and/or distinctive permanent identifiers (see "
"https://w3c.github.io/encrypted-media/#distinctive-permanent-"
"identifier), which must be encrypted. It does NOT contain origin "
"information, even in encrypted form."
destination: OTHER
}
policy {
cookies_allowed: NO
setting:
"On Android, users can disable this feature by disabling Protected "
"Media Identifier permissions."
policy_exception_justification: "Not implemented."
})
The www.googleapis.com is not part of Chromium/Bromite codebase but comes from Android itself; that explains why the domain was not sanitized.
I find it surprising that it starts requesting a CDM key even before content is played...
csagan5
on 24 Jan 2020
I found in Chromium codebase 2 switches called MediaDrmPreprovisioning and MediaDrmPreprovisioningAtStartup, enabled by default (introduced ~March 2019).
I will disable MediaDrmPreprovisioning by default but on top of that it is necessary to decide a course of action to complete the fix:
- completely rip out Widevine (already considered in the past) so that no DRM support is present
- let it perform provisioning as needed, not on startup
- (2) and put a flag in place, enabled by default
- (2) and put a flag in place, disabled by default (will cause major breakage to the common user that cares about privacy but would not about this specific instance of privacy violation, DRM)
Meanwhile I will document in the README that Bromite supports Android DRM (this is intentional, but it is not clear for all users how DRM works so better to refresh it).
@Eloston @wchen342 your opinion appreciated as I see that in ungoogled-chromium you did a fair setup; as far as I know ungoogled-chromium-android also has this issue/feature which is related to DRM support.
csagan5
on 24 Jan 2020
this specific instance of privacy violation, DRM
To be precise: https://w3c.github.io/encrypted-media/#direct-individualization explains how the identifiers are created, which is a good method. The privacy violation consists not much on these identifiers but for example on the source IP address and the fact that user is not requested consent before it happening (another case of violate-by-default).
csagan5
on 24 Jan 2020
Fixed in 79.0.3945.139.
As per upstream https://bugs.chromium.org/p/chromium/issues/detail?id=686430 it must already be possible to disable playback of protected content.
@sooorajjj @SnwMds can you please get latest version and disable protected content playback from site settings -> multimedia -> protected content and verify that the the CDM provisioning request to www.googleapis.com does not happen?
csagan5
on 26 Jan 2020
@csagan5, I tested version 79.0.3945.139. The CDM provisioning request to www.googleapis.com does not happen anymore.
SnwMds
on 28 Jan 2020
Thanks @csagan5 , the issue is fixed no more googleapis call .
sooorajjj
on 28 Jan 2020
@sooorajjj it will happen first time protected content is played (unless protected content is disabled for all sites or that specific site)
csagan5
on 29 Jan 2020
Related issues
drygdryg
·
3Comments
gene-scape
·
5Comments
Techguyprivate
·
3Comments
Lucaas87
·
4Comments
Someguy1519
·
5Comments
Most helpful comment
I analyzed Bromite's network traffic and noticed that, after about 1 minute after its first start, two
POSTrequests are made to thewww.googleapis.comserver. Below are listed the information about the requests made and their respective responses.URL: (First request)
Client request:
Server response:
URL: (Second request)
Client request:
Server response: