Re: DeviceOrientation "Last Call" Summary

Thanks for maintaining and logging that issue. And apologies that I didn't follow up on the action noted in the minutes where we discussed this at TPAC.

As we discussed at TPAC, and as described in Maryam's proposed alternative text (as in Ambient Light, where there was a similar discussion), I think the top-level browsing context limitation is the right approach: that is, it prevents leakage, having it in the spec promotes interoperability and I think most of the functional use cases (navigation, etc.) are still supported.

—Nick

> On Dec 4, 2015, at 2:11 PM, Mandyam, Giridhar <mandyam@qti.qualcomm.com> wrote:
> 
> Hello All,
> One comment was received via the public list, and it is appended below (thanks – Maryam!).  As a result, an issue has been created to track – see https://github.com/w3c/deviceorientation/issues/24 <https://github.com/w3c/deviceorientation/issues/24>.  Once this issue has been addressed, then the specification can go for broader review as required by the new process.
> 
> -Giri
> 
> From: Maryam Mehrnezhad (PGR) [mailto:m.mehrnezhad@newcastle.ac.uk <mailto:m.mehrnezhad@newcastle.ac.uk>]
> Sent: Sunday, November 29, 2015 11:50 AM
> To: public-geolocation
> Cc: npdoty@ischool.berkeley.edu <mailto:npdoty@ischool.berkeley.edu>
> Subject: Re: Regarding DeviceOrientation Specification - "Last Call"
> 
> Dear all,
> 
> Submission of Comment: Following to Nick's point in http://www.w3.org/2015/10/26-geolocation-minutes.html#item03 <http://www.w3.org/2015/10/26-geolocation-minutes.html#item03>, we would like to attract the community's attention, once again, to the missed security/privacy discussion in the current version of the specification.
> 
> Browsers’ Feedback: Based on the results of our security research, we followed your advice toward contacting the browser vendors directly. All major browsers including Safari, Firefox, Chrome, and Opera have acknowledged the issue and are working on the mitigations suggested by us. Please see the following links for details (Log-in needed):
> https://bugzilla.mozilla.org/show_bug.cgi?id=1197901 <https://bugzilla.mozilla.org/show_bug.cgi?id=1197901>
> https://code.google.com/p/chromium/issues/detail?id=523320 <https://code.google.com/p/chromium/issues/detail?id=523320>
> For Apple and Opera we have been in contact through confidential emails.
> 
> Our Suggestion: We believe raising this issue in the W3C specification would help the browsers to consider it in a more systematic and consistent way. Our suggestion for the new version of the specification is to include an “explicit” section for security and privacy considerations; similar to the policy of W3C on Ambient Light. As mentioned in the Ambient Light specification in http://www.w3.org/TR/ambient-light/#security-and-privacy-considerations <http://www.w3.org/TR/ambient-light/#security-and-privacy-considerations>: “The event defined in this specification is only fired in the top-level browsing context <http://www.w3.org/TR/ambient-light/#dfn-top-level-browsing-context> to avoid the privacy risk of sharing the information defined in this specification with contexts unfamiliar to the user. For example, a mobile device will only fire the event on the active tab, and not on the background tabs or within iframes.”
> 
> Our Research: For the detailed information of the mobile browsers’ behavior on the orientation and motion sensor, and possible attack vectors, please refer to our journal paper which has been accepted by Journal of Information Security and Applications: (http://homepages.cs.ncl.ac.uk/m.mehrnezhad/TouchSignatures.pdf <http://homepages.cs.ncl.ac.uk/m.mehrnezhad/TouchSignatures.pdf>).
> 
> Many thanks,
> Maryam Mehrnezhad
> PhD Student in the School of Computing Science,
> Newcastle University, UK