Re: [sensors] Take into account user gestures as an input for security policy enforcement

User activation to get security on top-level pages tends not to be very effective as it's really easy to get a user to click on a top-level page. What we've done elsewhere is to try to require user activation in cross-origin iframes. That way, a third party you don't trust embedded on your site that the user doesn't even know about can't get at the sensor data. Unlike the top-level page, it's not trivial for a cross-origin iframe to hijack a user gesture without cooperation of the top-level page. The user has to actually click on that frame.

The way we've done this is that there's a sticky bit on a frames. Until a cross-origin frame has had one user activation, the API fails. Chrome so far is using this for a few things (vibrate, navigation of the top page by the iframe, etc) and it seems to be working pretty well so far at mitigating abuse without breaking too many use cases.

User activation can be useful on top-level pages, but rarely for privacy/security. It's useful to minimize user annoyance (e.g. to limit the number of popups). The only security-ish use I know of for user activation in the top-level is fullscreen, where it's used to disallow the page from trapping the user in fullscreen.

If the data is so sensitive that you don't trust top-level pages, then you probably need to consider more severe restrictions like a permission-based API.

-- 
GitHub Notification of comment by ojanvafai
Please view or discuss this issue at https://github.com/w3c/sensors/issues/196#issuecomment-304477767 using your GitHub account

Received on Saturday, 27 May 2017 21:33:28 UTC