W3C home > Mailing lists > Public > public-device-apis-log@w3.org > February 2017

Re: [wake-lock] Review the Privacy & Security section

From: Andrey Logvinov via GitHub <sysbot+gh@w3.org>
Date: Wed, 15 Feb 2017 10:37:40 +0000
To: public-device-apis-log@w3.org
Message-ID: <issue_comment.created-279975936-1487155059-sysbot+gh@w3.org>
I re-ran the self-review questionnaire: 

> 3.1. Does this specification deal with personally-identifiable 


> 3.2. Does this specification deal with high-value data?


> 3.3. Does this specification introduce new state for an origin that 
persists across browsing sessions?


> 3.4. Does this specification expose persistent, cross-origin state 
to the web?

No. The specification does expose cross-origin state (current wake 
lock status), but it is not persistent.

> 3.5. Does this specification expose any other data to an origin that
 it doesn’t currently have access to?

Yes. Origin A can listen to the global wake lock state, and origin B 
could request the wake lock, thereby modifying the global wake lock 
state. This way, origin A can observe actions of origin B.

> 3.6. Does this specification enable new script execution/loading 


> 3.7. Does this specification allow an origin access to a user’s 


> 3.8. Does this specification allow an origin access to sensors on a 
user’s device?


> 3.9. Does this specification allow an origin access to aspects of a 
user’s local computing environment?

Yes, indirectly. The specification allows to check if a particular 
wake lock type is supported, thus providing some information about 
device capabilities.

> 3.10. Does this specification allow an origin access to other 


> 3.11. Does this specification allow an origin some measure of 
control over a user agent’s native UI?

Yes, as it prevents the entire screen from going blank, including the 
native UI elements.

> 3.12. Does this specification expose temporary identifiers to the 


> 3.13. Does this specification distinguish between behavior in 
first-party and third-party contexts?

Yes, as it contains a provision that only same-origin frames can 
request wake locks.

> 3.14. How should this specification work in the context of a user 
agent’s "incognito" mode?

Exactly the same way as in non-incognito mode (matching the "ideally" 

> 3.15. Does this specification persist data to a user’s local device?


> 3.16. Does this specification have a "Security Considerations" and 
"Privacy Considerations" section?


> 3.17. Does this specification allow downgrading default security 


GitHub Notification of comment by andrey-logvinov
Please view or discuss this issue at 
using your GitHub account
Received on Wednesday, 15 February 2017 10:37:47 UTC

This archive was generated by hypermail 2.4.0 : Monday, 4 July 2022 12:47:53 UTC