Re: [wake-lock] Wake Lock API Security & Privacy Questionnaire self-review

On 09/03/2016 12:09, Andrey Logvinov wrote:
> I have reviewed the Wake Lock API spec against the Security and Privacy
> Self-Review Questionnaire: https://w3ctag.github.io/security-questionnaire/

Thanks for looking into this; a couple of thoughts in-line below.

> 3.13. Does this specification distinguish between behavior in
> first-party and third-party contexts?
> No, but this shouldn't be an issue because the Wake Lock API does not
> introduce or use any shared state between script origins. The Wake Lock
> API specifically does not involve network requests and/or cookies.

I think the first-party/third-party contexts might deserve more
thoughts; among other things, should the use of wake-lock API be allowed
in embedded iframes from a different origin? Put more pointedly, should
a random ad embedded as an iframe be in a position to activate the
keepAwake state?

> 3.16. Does this specification have a "Security Considerations" and
> "Privacy Considerations" section?
> Not yet. Though keeping the screen awake is a potential opportunity for
> DOS-type attack on the user device by keeping the screen on for
> prolonged periods of time, which might cause the device to consume
> battery charge faster than the user would normally expect. When the
> battery becomes fully discharged, the device will turn off and leave the
> user without access to network and/or phone services, including
> emergency call service. This is already somewhat mitigated by the
> limitation that a wake lock request is considered only when the
> requesting Document is visible. I think "Security Considerations"
> section is worth adding to the specification.

+1; we also have the provision of wake lock applicability, which allows
UA to disable wake lock e.g. when there is no sufficient charge. It
would be useful to point this out in a security consideration section.

Dom

Received on Wednesday, 9 March 2016 16:51:53 UTC