W3C home > Mailing lists > Public > public-device-apis-log@w3.org > May 2017

Re: [sensors] Add mitigation strategy for skimming attacks when focus is lost.

From: Alexander Shalamov via GitHub <sysbot+gh@w3.org>
Date: Tue, 30 May 2017 15:27:11 +0000
To: public-device-apis-log@w3.org
Message-ID: <issue_comment.created-304915014-1496158029-sysbot+gh@w3.org>
I think we need to revisit this PR and #217, since major concerns have not been addressed.
We need to define #217 suspend / resume operations for Sensor objects, so that platform can release resources when page is losing (gaining) focus (visibility) or document does not need sensor data (focused iframe). 

The sentence "must not be delivered in such cases" does not suffice, since we don't have such term.
The "[=sensor readings=] are delivered..." readings delivered only through Sensor.reading getter.

This PR introduces few issues:
- Sensors are not suspended and HW resources are not released
- Sensors are still firing 'onchange' and adding 'update sensor reading' tasks
- Reduced performance, since Sensor.reading accessor has to run focusing algorithm before providing data

As I explained it first review round, it would be better to have simpler model.
- OnFocusLost => Suspend sensors
- OnFocusGained => Resume sensors
- OnVisibilityLost => Suspend sensors
- OnVisibilityGained => Resume sensors

@tobie @pozdnyakov @anssiko How to proceed? Reopen corresponding issues and make new PRs?

@tobie Sorry for noise, I was hoping you will not merge this PR until we find best solution.



-- 
GitHub Notification of comment by alexshalamov
Please view or discuss this issue at https://github.com/w3c/sensors/pull/213#issuecomment-304915014 using your GitHub account
Received on Tuesday, 30 May 2017 15:27:17 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 12:18:53 UTC