W3C home > Mailing lists > Public > public-device-apis-log@w3.org > May 2017

Re: [sensors] Avoid PIN skimming attacks by using input element state

From: Tobie Langel via GitHub <sysbot+gh@w3.org>
Date: Wed, 03 May 2017 13:48:08 +0000
To: public-device-apis-log@w3.org
Message-ID: <issue_comment.created-298915801-1493819286-sysbot+gh@w3.org>
So thinking about this a bit more, what's the scenario where this makes sense?

Currently, we're limiting sensors reading output to top-level browsing context of visible tabs.

So the only case where I see this could be an issue would be in a top-level browsing context trying to snoop on an embedded cross-origin iframe. For example, a merchant that would embed paypal and try to guess the password during checkout.

Seems like a safer mitigation strategy would be to stop outputting readings when the current browsing context looses focus.

I'm not sure what the precise relation between page visibility and page focus is.

-- 
GitHub Notification of comment by tobie
Please view or discuss this issue at https://github.com/w3c/sensors/issues/189#issuecomment-298915801 using your GitHub account
Received on Wednesday, 3 May 2017 13:48:15 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 12:18:53 UTC