W3C home > Mailing lists > Public > public-device-apis-log@w3.org > March 2017

[battery] Allow use from within secure context and top-level browsing context only

From: Anssi Kostiainen via GitHub <sysbot+gh@w3.org>
Date: Thu, 16 Mar 2017 08:40:49 +0000
To: public-device-apis-log@w3.org
Message-ID: <issues.opened-214631955-1489653648-sysbot+gh@w3.org>
anssiko has just created a new issue for https://github.com/w3c/battery:

== Allow use from within secure context and top-level browsing context only ==
(This issue is branched from a proposal made in https://github.com/w3c/battery/issues/5#issuecomment-257554180 since there seemed to be adequate support for making such a spec update.)

**Problem:**

Malicious content such as framed tracker scripts using the API to fingerprint users.

**Proposed solution:**

Make the API available only within a [secure context](https://w3c.github.io/webappsec-secure-contexts/#secure-context) that is also a [top-level browsing context](https://www.w3.org/TR/html51/browsers.html#top-level-browsing-context). This disallows the use of the API within framed content, as well as from any content that is not a secure context.

See [top-level documents](https://w3c.github.io/webappsec-secure-contexts/#examples-top-level) and [framed documents](https://w3c.github.io/webappsec-secure-contexts/#examples-framed) for illustrations.

**Summary of changes:**

There exists a hook in the spec to implement this change with no API surface changes in a backwards compatible manner:
* if the API is invoked from within a browsing context that is not a secure context and not a top-level browsing context, then
* leave the promise returned by [`getBattery()`](https://w3c.github.io/battery/#h-the-navigator-interface) in a pending state

This means we won't break existing web content using the API.

@riju volunteered to look into updating the Chromium/Blink implementation accordingly after the spec changes have landed.

Please view or discuss this issue at https://github.com/w3c/battery/issues/10 using your GitHub account
Received on Thursday, 16 March 2017 08:40:56 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 12:18:52 UTC