W3C home > Mailing lists > Public > public-device-apis-log@w3.org > May 2017

Re: [sensors] Avoid PIN skimming attacks

From: Tobie Langel via GitHub <sysbot+gh@w3.org>
Date: Thu, 04 May 2017 08:18:44 +0000
To: public-device-apis-log@w3.org
Message-ID: <issue_comment.created-299123294-1493885923-sysbot+gh@w3.org>
So there are the following four scenarios here:

1. User is typing in an input field that's on the page itself: we don't care about skimming in that case, as the web page can just do `input[type=password].value` to get the value.
2. User is typing in a different browsing context altogether: we can to solve this using focus (still todo).
3. User is typing in an iframe that's from a different origin: we can also to solve this using focus (also still todo).
4. User is in another app or a browser extension: there's currently nothing we can do rigorously in spec, as in some cases the browsing context does not loose focus and can stay visible. Instead we need to mention the threat in the spec and suggest mitigation strategies "user agent should loose focus when the user navigates to a different app" or something like that.

-- 
GitHub Notification of comment by tobie
Please view or discuss this issue at https://github.com/w3c/sensors/issues/189#issuecomment-299123294 using your GitHub account
Received on Thursday, 4 May 2017 08:18:52 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 12:18:53 UTC