Re: [sensors] Avoid PIN skimming attacks by using input element state from Tobie Langel via GitHub on 2017-05-03 (public-device-apis-log@w3.org from May 2017)

From: Tobie Langel via GitHub <sysbot+gh@w3.org>
Date: Wed, 03 May 2017 13:48:08 +0000
To: public-device-apis-log@w3.org
Message-ID: <issue_comment.created-298915801-1493819286-sysbot+gh@w3.org>

So thinking about this a bit more, what's the scenario where this makes sense?

Currently, we're limiting sensors reading output to top-level browsing context of visible tabs.

So the only case where I see this could be an issue would be in a top-level browsing context trying to snoop on an embedded cross-origin iframe. For example, a merchant that would embed paypal and try to guess the password during checkout.

Seems like a safer mitigation strategy would be to stop outputting readings when the current browsing context looses focus.

I'm not sure what the precise relation between page visibility and page focus is.

-- 
GitHub Notification of comment by tobie
Please view or discuss this issue at https://github.com/w3c/sensors/issues/189#issuecomment-298915801 using your GitHub account

Received on Wednesday, 3 May 2017 13:48:15 UTC