The issue is a bit overblown. It depends on using a hidden pop-under:
When you click the button to start or stop the speech recognition on the site, what you won’t notice is that the site may have also opened another hidden popunder window.
You also have to grant it permission the first time you use it. It’s not clear to me how they could fix this without just getting rid of the feature. (Maybe only allow it in active windows?)
There are plenty of sites I might grant permission to use the microphone for a short while, but that doesn’t mean I want them listening in forever after.
I read about this story before and somebody pointed out that the html spec even calls out this possibility and clearly says the user agent must disallow access after the tab/window is closed to prevent background recording.
the user agent must disallow access after the tab/window is closed to prevent background recording.
It does. The issue is the site opens another window, transfers the recording to that one and then closes the original. However apparently that shouldn’t work either:
To minimize the chance of users unwittingly allowing web pages to record speech without their knowledge, implementations must abort an active speech input session if the web page lost input focus to another window or to another tab within the same user agent.
Even just switching to a new tab should stop recording audio.
Is this feature easily disabled or is it hidden away in about:flags or somesuch?
Settings -> Advanced -> Privacy -> Content Settings -> Media -> “Do not allow sites to access my camera and microphone”