Re: [wake-lock] Introduce rate limiting to prevent wake lock abuse

On your first point, I think the communication channel between separate User Agents can be prevented by only reporting wake lock status for this particular user agent, not system-wide status. I.e. when a user agent has not requested wake lock, it will report wake lock status as inactive even though some other user agent or another OS-level application might be currently holding the wake lock. 

As for cross-origin channel, I think it is possible to mitigate by only reporting wake lock status to an origin if it has at least one outstanding wake lock request (if it doesn't, report as inactive). In this case, an origin can only see wake lock status if it itself has requested the wake lock and it wouldn't be able to tell if some other origin has also requested it, provided that requests from multiple origins are combined using logical OR (which they are).

As for number of times limiting, how would this prevent side channels?

GitHub Notification of comment by andrey-logvinov
Please view or discuss this issue at using your GitHub account

Received on Wednesday, 18 April 2018 11:26:04 UTC