W3C home > Mailing lists > Public > public-device-apis@w3.org > June 2016

Re: [sensors] Malicious use of the phone's Gyroscope

From: Olli Pettay <olli@pettay.fi>
Date: Wed, 8 Jun 2016 13:02:56 +0300
To: Tobie Langel via GitHub <sysbot+gh@w3.org>, public-device-apis@w3.org
Message-ID: <5757ED50.1050701@pettay.fi>
On 06/08/2016 11:24 AM, Tobie Langel via GitHub wrote:
>> For example, if the spec explicitly states that orientation events
> must be
> paused/suspended if the page, tab or browser is in the 'background'
> whether
> this could alleviate the security concerns.
>
> See [Browsing
> Context](https://w3c.github.io/sensors/#browsing-context) for this.
>

two things:
- https://w3c.github.io/sensors/#browsing-context is overly strict.
   Other specs, like DeviceOrientation recommends firing events only on toplevel browsing context _and_ same origin
   nested browsing context. (those nested context can anyhow get the data from top level so no need to restrict them out.)

- it is a bit vaguely said that "must only be available in the top-level browsing context" ... "For example ...not on the background tabs"
   Background tabs are top level browsing contexts.






-Olli
Received on Wednesday, 8 June 2016 10:03:26 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC