Re: [battery] Allow use from within secure context and top-level browsing context only

>The Battery API can be used by third party content for valid reasons.

Earlier, people were asking for use cases for the API in general, so I provided some in https://lists.w3.org/Archives/Public/public-device-apis/2016Jul/0011.html

None of these seem not to be a perfect fit for iframed content, although all of them could be implemented in an iframe as well.

What use cases we have for iframed content beyond tracking scripts that some folks are concerned about? Perhaps maps.google.com running in an iframe (see the third use case in my list above)?

>We can fix the privacy issues with the Battery API by reducing the entropy of the value shared with the web page instead of blocking the capability entirely.

The thinking was reducing entropy is a complementary mitigation strategy.

>I believe the specification is already recommending implementations to be careful with this.

Correct, https://w3c.github.io/battery/#security-and-privacy-considerations says:

>>The user agent should not expose high precision readouts of battery status information as that can introduce a new fingerprinting vector.

-- 
GitHub Notification of comment by anssiko
Please view or discuss this issue at https://github.com/w3c/battery/issues/10#issuecomment-308370458 using your GitHub account

Received on Wednesday, 14 June 2017 09:04:28 UTC