[wake-lock] Introduce rate limiting to prevent wake lock abuse

arturjanc has just created a new issue for https://github.com/w3c/wake-lock:

== Introduce rate limiting to prevent wake lock abuse ==
In addition to the security and privacy considerations already covered in the spec (https://www.w3.org/TR/wake-lock/#security-and-privacy-considerations), it seems that there are a couple of other concerns:

1. The side-channel based on the OS-level lock allows communication not only between different documents, but also between completely separate browser profiles or User Agents running on the same device. This may allow identifying users who rely on such compartamentalization for privacy.

2. When a website acquires the Wake Lock, this necessarily leaks a bit of information about user activity to other origins. For example, a screen wake lock may indicate that the user started watching a video.

Is it possible to limit the number of times the User Agent may change the state of a wake lock in a given time period (e.g. on the order of a couple of times per minute)? This would prevent the side-channel concern.

When it comes to (2), I'm not sure about a great way to tackle this, other than perhaps not resolving the promise if the acquirer of the wake lock is cross-origin from the listener. Any ideas?

Please view or discuss this issue at https://github.com/w3c/wake-lock/issues/124 using your GitHub account

Received on Monday, 16 April 2018 14:07:18 UTC