W3C home > Mailing lists > Public > public-device-apis-log@w3.org > September 2020

Re: [screen-wake-lock] Security Review (#282)

From: Reilly Grant via GitHub <sysbot+gh@w3.org>
Date: Tue, 15 Sep 2020 19:42:51 +0000
To: public-device-apis-log@w3.org
Message-ID: <issue_comment.created-692937084-1600198970-sysbot+gh@w3.org>
Having personally seen my system fail to go to sleep because there is a small video playing on a page I left open the status quo argument isn't particularly compelling to me. A purpose of this specification is to allow sites to be explicit about when they want to acquire a wake lock so that browsers can provide better automated and manual controls to prevent intentional and incidental issues.

As currently implemented in Chromium there is no visible indicator. This concern was raised during internal security review and the winning argument was that the feature announces itself by the fact that the screen remains on and the user is always in control because they can take manual steps to turn the screen off. We agreed that if abuse of the API was observed then further steps could be taken, including adding a visible indicator or automatically denying the wake lock.

At this point in its development I think it is premature to mandate particular mitigations against potential abuse. Browser implementations must be able to evaluate the behavior they see affecting their users and experiment with ways to protect them. I think the current language of SHOULD when it comes to these mitigations is appropriate.

-- 
GitHub Notification of comment by reillyeon
Please view or discuss this issue at https://github.com/w3c/screen-wake-lock/issues/282#issuecomment-692937084 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 15 September 2020 19:42:52 UTC

This archive was generated by hypermail 2.4.0 : Monday, 4 July 2022 12:47:58 UTC