W3C home > Mailing lists > Public > public-device-apis@w3.org > January 2014

Re: Malicious Use of the HTML5 Vibrate API

From: Kostiainen, Anssi <anssi.kostiainen@intel.com>
Date: Mon, 20 Jan 2014 13:30:15 +0000
To: Lisa Seacat DeLuca <ldeluca@us.ibm.com>
CC: "public-device-apis@w3.org" <public-device-apis@w3.org>
Message-ID: <C74F02B0-1530-4358-98F8-C7E013048A7A@intel.com>
On 17 Jan 2014, at 22:38, Lisa Seacat DeLuca <ldeluca@us.ibm.com> wrote:

> Has everyone seen this? 
> 
> http://shkspr.mobi/blog/2014/01/malicious-use-of-the-html5-vibrate-api/

Thanks for the pointer. Do you think there is something we could do specification-wise?

The spec is already clear on that regular web pages that are invisible cannot vibrate the device.

Also, the user consent mechanism to use (or not to use) is left to the implementation. In this specific case, I think the "ask forgivenessĒ approach used in the Fullscreen API might work pretty well to mitigate the attack:

  http://blog.pearce.org.nz/2013/12/why-does-html-fullscreen-api-ask-for.html

Iím planning to do an update to the spec soonish to close my open actions, so if there are suggestions e.g. to the non-normative sections to improve feel free to propose suggestions.

Generally I echo Domís comments (in the blog post) that the same issues apply to many new capabilities added to the platform that allow regular web content to behave more like native apps, use new capabilities traditionally available to native apps only.

Thanks,

-Anssi
Received on Monday, 20 January 2014 13:30:49 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:33:03 UTC