- From: Anssi Kostiainen via GitHub <sysbot+gh@w3.org>
- Date: Thu, 16 Mar 2017 08:40:49 +0000
- To: public-device-apis-log@w3.org
anssiko has just created a new issue for https://github.com/w3c/battery: == Allow use from within secure context and top-level browsing context only == (This issue is branched from a proposal made in https://github.com/w3c/battery/issues/5#issuecomment-257554180 since there seemed to be adequate support for making such a spec update.) **Problem:** Malicious content such as framed tracker scripts using the API to fingerprint users. **Proposed solution:** Make the API available only within a [secure context](https://w3c.github.io/webappsec-secure-contexts/#secure-context) that is also a [top-level browsing context](https://www.w3.org/TR/html51/browsers.html#top-level-browsing-context). This disallows the use of the API within framed content, as well as from any content that is not a secure context. See [top-level documents](https://w3c.github.io/webappsec-secure-contexts/#examples-top-level) and [framed documents](https://w3c.github.io/webappsec-secure-contexts/#examples-framed) for illustrations. **Summary of changes:** There exists a hook in the spec to implement this change with no API surface changes in a backwards compatible manner: * if the API is invoked from within a browsing context that is not a secure context and not a top-level browsing context, then * leave the promise returned by [`getBattery()`](https://w3c.github.io/battery/#h-the-navigator-interface) in a pending state This means we won't break existing web content using the API. @riju volunteered to look into updating the Chromium/Blink implementation accordingly after the spec changes have landed. Please view or discuss this issue at https://github.com/w3c/battery/issues/10 using your GitHub account
Received on Thursday, 16 March 2017 08:40:56 UTC