- From: Nick Doty <notifications@github.com>
- Date: Sun, 14 Jan 2018 18:31:21 -0800
- To: w3c/permissions <permissions@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Monday, 15 January 2018 02:31:43 UTC
I think "To defend against this" might overstate the efficacy, but mentioning ambient notice as a mitigation seems helpful. Maybe: > The UA might provide notice of when permissions are in use on a page which might increase the visibility of abuse. To be clear, I don't think this resolves #52 at all; the privacy impact of the feature is substantial, even if it's now noted in the spec. The ability to subscribe to permission state changes makes the piggybacking even easier to disguise, as the embedded script can access the sensor at the same time as the originating site has received permission. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/permissions/pull/166#issuecomment-357567939
Received on Monday, 15 January 2018 02:31:43 UTC