# Device APIs and Policy Working Group Teleconference

## 06 Oct 2010

[Agenda][3]

See also: [IRC log][4]

## Attendees

Present

    Robin_Berjon, Frederick_Hirsch, Dominique_Hazael-Massieux, LauraA, Dong-
Young_Lee, Claes_Nilsson, Wonsuk_Lee, Richard_Tibbett, Anssi_Kostiainen,
Ilkka_Oksanen, Niklas_Widell, Cecile_Marc, Bryan_Sullivan, Ingmar_Kliche

Regrets

    Marco_Marengo, Suresh_Chitturi

Chair

    Robin_Berjon, Frederick_Hirsch

Scribe

    Claes

## Contents

  * [Topics][5]

    1. [Administrative][6]

    2. [Minutes approval][7]

    3. [Permissions][8]

    4. [Privacy][9]

    5. [APIs][10]

    6. [Contacts][11]

    7. [Capture API][12]

    8. [Calendar][13]

    9. [Sys Info][14]

  * [Summary of Action Items][15]

* * *

<trackbot> Date: 06 October 2010

### Administrative

<scribe> Scribenick: Claes

<fjh> WG questionnaire (for all),
[http://www.w3.org/2002/09/wbs/43696/tpac2010dap/][16]

<fjh> TPAC registration (for in-person attendees)
[http://www.w3.org/2002/09/wbs/35125/TPAC2010reg/][17]

Reminder for everyone to register

<fjh> "Permissions for Device API Access" published as First Public Working
Draft, , [http://w3.org/TR/api-perms][18]

<fjh> Reminder, no call next week (13 October 2010 Teleconference Cancelled)

Reminder, no call next week

<fjh> Next teleconference 20 October, [http://www.w3.org/2009/dap/minutes][19]

### Minutes approval

<fjh> [http://lists.w3.org/Archives/Public/public-device-
apis/2010Sep/att-0160/minutes-2010-09-29.html][20]

<fjh> proposed RESOLUTION: Minutes from 29 Sept 2010 approved

**RESOLUTION: Minutes from 29 Sept 2010 approved**

### Permissions

Draft published

<fjh> published, [http://lists.w3.org/Archives/Public/public-device-
apis/2010Oct/0006.html][21]

<dom> welcome cecile!

<scribe> New member: Cecile Marc, Orange

### Privacy

<fjh> [http://lists.w3.org/Archives/Public/public-device-
apis/2010Oct/0008.html][22]

<fjh> Alissa added issues to draft

<dom> ACTION-210?

<trackbot> ACTION-210 -- Alissa Cooper to summarize and add issues to ruleset
doc -- due 2010-07-21 -- OPEN

<trackbot> [http://www.w3.org/2009/dap/track/actions/210][23]

<fjh> W3C Workshop on Privacy and data usage control held 4-5 October,
[http://www.w3.org/2010/policy-ws/agenda.html][24]

Workshop in Boston

<fjh> [http://www.w3.org/2010/policy-ws/papers/03-Doty-Wilde-Berkeley.pdf][25]

<fjh> [http://www.w3.org/2010/09/raggett-fresh-take-on-p3p/][26]

<fjh> [http://www.w3.org/2010/policy-ws/papers/04-Hart-stonybrook.pdf][27]

### APIs

### Contacts

Event based invocation:

<fjh> [http://lists.w3.org/Archives/Public/public-device-
apis/2010Oct/0001.html][28]

<fjh> [http://dev.w3.org/2009/dap/contacts/Overview.html#api-invocation-via-
dom-events][29]

<darobin> [+1 from me]

Richard: Added an informative section on invocation via dom events

Robin: Wants it normative

... go ahead and add it

<dom> (e.g. "touchstart")

Robin: worries if we start whitelisting events

<dom> (there is a new proposed wg to work on touch interfaces)

Richard: Will work on this and make it normative

<fjh> touch working group, [http://www.w3.org/2010/07/touchinterface-
charter.html][30]

Ilkka: Good optimization. Also usable in capture API

<dom> (I would start putting it individually in specs, and factoring it out
only when it's clear that it's productive)

Ilkka: could we make it reusable?

<Zakim> richt, you wanted to respond to Illka RE: device API

<darobin> [+1 to dom]

Richard: Agrees, it could be applicable in capture API as well

... need device element?

... a JS way to call JS API

<dom> (I'm doubtful about this; <device> had all sort of protections (in terms
of styling, clickjacking, etc) IIRC)

<darobin> [I'm starting to think we're doing a little too much design on the
fly orally]

Richard: could deprecate device element?

<fjh> Do we understand the privacy and security implications for this
approach, and that be added to the section in this document?

<darobin> [fjh, no, we don't really yet, but it's worth investigating]

<dom> (the other thing that the <device> element is a streaming API, very
relevant for capture, but possibly dinstiguishable)

<fjh> [agree that it is worth investigating]

More productive to continue this discussion by e-mail

<fjh> clickjacking, and coercion need review

Bryan: Could we describe clickjacking in security and privacy section?

Richard: Nothing is shared until the user chooses

<fjh> robin: denial of service not an issue since picker is modal unlike
window.open

Rich: The prompt is modal..

sorry lost phone connection

Yes, I am calling

<fjh> rich: we should note this in the spec, even though it might appear
controversial

having trouble calling in

<fjh> ansii: clickjacking could be a serious attach, a big concern

<fjh> ansii: attack could make it likely to take picture etc without intending
to. should take this risk seriously

<fjh> rich: tested in various browsers with variety of means to generate click
events, and can do now already, but gets stopped at dialog

<fjh> ansii: where do we find examples of clickjacking attacks

<dom> we could ask public-web-security?

Back, had to use US number

<scribe> Scribenick: Claes

<dom> (so, maybe the <device>-replacement idea should be put into a document
on its own while we work on it?)

Rich: Normative or not?

<darobin> +1

<fjh> having separate document would address Ilkka's concern about reuse

<dom> (or just an action on rich?)

Proposed RESOLUTION: the <device>-replacement idea should be put into a
document on its own while we work on it

<dom> **ACTION:** Richard to put his ideas on <device>-alternative in a
separate editors draft [recorded in [http://www.w3.org/2010/10/06-dap-
minutes.html#action01][31]]

<trackbot> Created ACTION-283 - Put his ideas on <device>-alternative in a
separate editors draft [on Richard Tibbett - due 2010-10-13].

### Capture API

Action on review to review Privacy

<trackbot> Sorry, couldn't find user - on

Will be done withi two weeks

<dom> ACTION-251 due +2 weeks

<trackbot> ACTION-251 Review privacy text related to ISSUE-78 for capture due
date now +2 weeks

### Calendar

Surresh not present

### Sys Info

<fjh> ACTION-213?

<trackbot> ACTION-213 -- Dong-Young Lee to review sysinfo draft after edits
made -- due 2010-07-21 -- OPEN

<trackbot> [http://www.w3.org/2009/dap/track/actions/213][32]

<fjh> [http://lists.w3.org/Archives/Public/public-device-
apis/2010Oct/0002.html][33]

<richt> Is anyone aware of navigator.connection.type in Android?

<dom> I've pointed to it a couple of months ago

<richt> I'd like to approach Sys Info API security in a similar way...

<richt> ...limit the info available but no security prompts.

Rich: navigator.connection.type in Android says type of connection

... will aim to produce a propsal based on above

<AnssiK> [some info on clickjacking from The Open Web Application Security
Project: [http://www.owasp.org/index.php/Clickjacking][34]]

Rich: without security promting etc

<dom> (I agree network.connection.type is indeed pretty harmless a priori;
enabling it would require a lot of changes to the architecture of sysinfo a
priori)

Dong: Have reviewed Sys Info. Would like more examples

<dom> (looking at the network interface in sysinfo, everything seems actually
pretty harmless, even taken in combination; maybe the security model for
networkinfo should be no prompt?)

<darobin> ACTION-243?

<trackbot> ACTION-243 -- Dong-Young Lee to review sysinfo draft after edits
made -- due 2010-08-09 -- OPEN

<trackbot> [http://www.w3.org/2009/dap/track/actions/243][35]

<darobin> ACTION-243 closed

<trackbot> ACTION-243 Review sysinfo draft after edits made closed

<dom> ACTION-243: feedback is: more examples would make the document easier to
understand

<trackbot> ACTION-243 Review sysinfo draft after edits made notes added

## Summary of Action Items

**[NEW]** **ACTION:** Richard to put his ideas on <device>-alternative in a
separate editors draft [recorded in [http://www.w3.org/2010/10/06-dap-
minutes.html#action01][31]]


[End of minutes]

* * *

Minutes formatted by David Booth's [scribe.perl][36] version 1.135 ([CVS
log][37])

$Date: 2009-03-02 03:52:20 $

   [1]: http://www.w3.org/Icons/w3c_home

   [2]: http://www.w3.org/

   [3]: http://lists.w3.org/Archives/Public/public-device-
apis/2010Oct/0007.html

   [4]: http://www.w3.org/2010/10/06-dap-irc

   [5]: #agenda

   [6]: #item01

   [7]: #item02

   [8]: #item03

   [9]: #item04

   [10]: #item05

   [11]: #item06

   [12]: #item07

   [13]: #item08

   [14]: #item09

   [15]: #ActionSummary

   [16]: http://www.w3.org/2002/09/wbs/43696/tpac2010dap/

   [17]: http://www.w3.org/2002/09/wbs/35125/TPAC2010reg/

   [18]: http://w3.org/TR/api-perms

   [19]: http://www.w3.org/2009/dap/minutes

   [20]: http://lists.w3.org/Archives/Public/public-device-
apis/2010Sep/att-0160/minutes-2010-09-29.html

   [21]: http://lists.w3.org/Archives/Public/public-device-
apis/2010Oct/0006.html

   [22]: http://lists.w3.org/Archives/Public/public-device-
apis/2010Oct/0008.html

   [23]: http://www.w3.org/2009/dap/track/actions/210

   [24]: http://www.w3.org/2010/policy-ws/agenda.html

   [25]: http://www.w3.org/2010/policy-ws/papers/03-Doty-Wilde-Berkeley.pdf

   [26]: http://www.w3.org/2010/09/raggett-fresh-take-on-p3p/

   [27]: http://www.w3.org/2010/policy-ws/papers/04-Hart-stonybrook.pdf

   [28]: http://lists.w3.org/Archives/Public/public-device-
apis/2010Oct/0001.html

   [29]: http://dev.w3.org/2009/dap/contacts/Overview.html#api-invocation-via-
dom-events

   [30]: http://www.w3.org/2010/07/touchinterface-charter.html

   [31]: http://www.w3.org/2010/10/06-dap-minutes.html#action01

   [32]: http://www.w3.org/2009/dap/track/actions/213

   [33]: http://lists.w3.org/Archives/Public/public-device-
apis/2010Oct/0002.html

   [34]: http://www.owasp.org/index.php/Clickjacking

   [35]: http://www.w3.org/2009/dap/track/actions/243

   [36]: http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm

   [37]: http://dev.w3.org/cvsweb/2002/scribe/