W3C home > Mailing lists > Public > public-device-apis-log@w3.org > May 2017

Re: [sensors] Add mitigation strategy for skimming attacks when focus is lost.

From: Tobie Langel via GitHub <sysbot+gh@w3.org>
Date: Tue, 30 May 2017 18:31:52 +0000
To: public-device-apis-log@w3.org
Message-ID: <issue_comment.created-304967654-1496169111-sysbot+gh@w3.org>
> That is exactly the problem I mentioned multiple times, it should not be there! It is like running rendering with webgl at full speed and checking if we need to render anything in the middle of the algo. There should be no 'update sensor reading' scheduled at all.

Again, please see https://w3c.github.io/sensors/#equivalent:

> Conformance requirements phrased as algorithms or specific steps can be implemented in any manner, so long as the end result is equivalent. In particular, the algorithms defined in this specification are intended to be easy to understand and are not intended to be performant. Implementers are encouraged to optimize.

> If informative section that defines applicability of this algorithm (MAY), then algorithm should not be used in normative sections? Am I right?

Well again, the algorithm is invoked in https://w3c.github.io/sensors/#update-latest-reading (which I know needs cleanup, etc., but that orthogonal to the current issue).

> Whole spec is flaky at the moment :D,

Well, you know, you have to start somewhere. :)

> lets avoid adding more flaky stuff and revert this PR and address it properly. Fix nested browsing contexts with different origins and visibility. Focusing can be done in-parallel and when we have hooks, we can call proper suspend / resume algos.

The only things I'm hearing at this point are (1) editorial preferences _which we both share_ but which cannot be properly specified normatively until the issue is addressed in HTML (I've reopened #222 so we continue tracking this), and (2) a misunderstanding of the conformance requirements which specifically state that "the algorithms defined in this specification are intended to be easy to understand and are not intended to be performant."

If you have **normative** problems with this particular part of the spec, please file an issue and I will be happy to address them.




-- 
GitHub Notification of comment by tobie
Please view or discuss this issue at https://github.com/w3c/sensors/pull/213#issuecomment-304967654 using your GitHub account
Received on Tuesday, 30 May 2017 18:31:59 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 12:18:53 UTC