Re: [deviceorientation] Move fingerprintable APIs behind permissions (#85)

@anssiko thanks for the follow up!  A couple of notes:

1) re the `requestPermission()` update, i see your point that it seems to address the attack.  I will follow up with the paper authors and see if they agree / have away of carrying out the attack otherwise and report back here.

2) re: Making the security and privacy considerations mandatory, i think this is a great first step, but two remaining concerns:
 - I suggest adding a 4th MUST condition: "fire events after the first-party context has received a user gesture"
 - In general its rare to have mandatory material in these areas of specs; is it possible to move the same content elsewhere (e.g. into the algorithm descriptions), or at least call to these mandatory privacy requirements in the algorithm descriptions?

-- 
GitHub Notification of comment by snyderp
Please view or discuss this issue at https://github.com/w3c/deviceorientation/issues/85#issuecomment-546644374 using your GitHub account

Received on Saturday, 26 October 2019 22:22:37 UTC