W3C home > Mailing lists > Public > public-device-apis-log@w3.org > May 2017

Re: [sensors] Avoid PIN skimming attacks by using input element state

From: Tobie Langel via GitHub <sysbot+gh@w3.org>
Date: Wed, 03 May 2017 13:48:08 +0000
To: public-device-apis-log@w3.org
Message-ID: <issue_comment.created-298915801-1493819286-sysbot+gh@w3.org>
So thinking about this a bit more, what's the scenario where this makes sense?

Currently, we're limiting sensors reading output to top-level browsing context of visible tabs.

So the only case where I see this could be an issue would be in a top-level browsing context trying to snoop on an embedded cross-origin iframe. For example, a merchant that would embed paypal and try to guess the password during checkout.

Seems like a safer mitigation strategy would be to stop outputting readings when the current browsing context looses focus.

I'm not sure what the precise relation between page visibility and page focus is.

GitHub Notification of comment by tobie
Please view or discuss this issue at https://github.com/w3c/sensors/issues/189#issuecomment-298915801 using your GitHub account
Received on Wednesday, 3 May 2017 13:48:15 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:34:23 UTC