- From: Kostiainen, Anssi <anssi.kostiainen@intel.com>
- Date: Mon, 20 Jan 2014 13:30:15 +0000
- To: Lisa Seacat DeLuca <ldeluca@us.ibm.com>
- CC: "public-device-apis@w3.org" <public-device-apis@w3.org>
On 17 Jan 2014, at 22:38, Lisa Seacat DeLuca <ldeluca@us.ibm.com> wrote: > Has everyone seen this? > > http://shkspr.mobi/blog/2014/01/malicious-use-of-the-html5-vibrate-api/ Thanks for the pointer. Do you think there is something we could do specification-wise? The spec is already clear on that regular web pages that are invisible cannot vibrate the device. Also, the user consent mechanism to use (or not to use) is left to the implementation. In this specific case, I think the "ask forgiveness” approach used in the Fullscreen API might work pretty well to mitigate the attack: http://blog.pearce.org.nz/2013/12/why-does-html-fullscreen-api-ask-for.html I’m planning to do an update to the spec soonish to close my open actions, so if there are suggestions e.g. to the non-normative sections to improve feel free to propose suggestions. Generally I echo Dom’s comments (in the blog post) that the same issues apply to many new capabilities added to the platform that allow regular web content to behave more like native apps, use new capabilities traditionally available to native apps only. Thanks, -Anssi
Received on Monday, 20 January 2014 13:30:49 UTC