- From: Mandyam, Giridhar <mandyam@qti.qualcomm.com>
- Date: Fri, 4 Dec 2015 22:11:38 +0000
- To: "Maryam Mehrnezhad (PGR)" <m.mehrnezhad@newcastle.ac.uk>, public-geolocation <public-geolocation@w3.org>
- CC: "npdoty@ischool.berkeley.edu" <npdoty@ischool.berkeley.edu>
- Message-ID: <929862734f6645819967d09cb5a32664@NASANEXM01H.na.qualcomm.com>
Hello All, One comment was received via the public list, and it is appended below (thanks - Maryam!). As a result, an issue has been created to track - see https://github.com/w3c/deviceorientation/issues/24. Once this issue has been addressed, then the specification can go for broader review as required by the new process. -Giri From: Maryam Mehrnezhad (PGR) [mailto:m.mehrnezhad@newcastle.ac.uk] Sent: Sunday, November 29, 2015 11:50 AM To: public-geolocation Cc: npdoty@ischool.berkeley.edu Subject: Re: Regarding DeviceOrientation Specification - "Last Call" Dear all, Submission of Comment: Following to Nick's point in http://www.w3.org/2015/10/26-geolocation-minutes.html#item03, we would like to attract the community's attention, once again, to the missed security/privacy discussion in the current version of the specification. Browsers' Feedback: Based on the results of our security research, we followed your advice toward contacting the browser vendors directly. All major browsers including Safari, Firefox, Chrome, and Opera have acknowledged the issue and are working on the mitigations suggested by us. Please see the following links for details (Log-in needed): https://bugzilla.mozilla.org/show_bug.cgi?id=1197901 https://code.google.com/p/chromium/issues/detail?id=523320 For Apple and Opera we have been in contact through confidential emails. Our Suggestion: We believe raising this issue in the W3C specification would help the browsers to consider it in a more systematic and consistent way. Our suggestion for the new version of the specification is to include an "explicit" section for security and privacy considerations; similar to the policy of W3C on Ambient Light. As mentioned in the Ambient Light specification in http://www.w3.org/TR/ambient-light/#security-and-privacy-considerations: "The event defined in this specification is only fired in the top-level browsing context<http://www.w3.org/TR/ambient-light/#dfn-top-level-browsing-context> to avoid the privacy risk of sharing the information defined in this specification with contexts unfamiliar to the user. For example, a mobile device will only fire the event on the active tab, and not on the background tabs or within iframes." Our Research: For the detailed information of the mobile browsers' behavior on the orientation and motion sensor, and possible attack vectors, please refer to our journal paper which has been accepted by Journal of Information Security and Applications: (http://homepages.cs.ncl.ac.uk/m.mehrnezhad/TouchSignatures.pdf). Many thanks, Maryam Mehrnezhad PhD Student in the School of Computing Science, Newcastle University, UK ________________________________ From: Mandyam, Giridhar <mandyam@qti.qualcomm.com<mailto:mandyam@qti.qualcomm.com>> Sent: Saturday, November 14, 2015 3:17 PM To: public-geolocation Cc: Tim Volodine Subject: Regarding DeviceOrientation Specification - "Last Call" Hello Geolocation Working Group members, DeviceOrientation has been languishing in standardization for several years now, and part of the reason was the sticking point Tim mentions below (differences between implementations on iOS and other mobile OS's). This has been addressed in the latest version of the specification. I will now open this specification to "Last Call" in the working group to progress it to a Recommendation status. Note that "Last Call" is not meaningful in the same sense as Last Call for other specifications you may have been involved with in the past. This is now an informal process to collect final comments on the specification - there will not be any Last Call draft. The deadline for submission of these comments to the public-geo mailing list is November 30, 2015, 12:00 AM US Pacific time. -Giri Mandyam, Geolocation Working Group Chair From: Tim Volodine [mailto:timvolodine@google.com] Sent: Friday, November 13, 2015 9:06 PM To: public-geolocation Subject: Update regarding Device Orientation Specification. DeviceOrientation Event Specification (http://w3c.github.io/deviceorientation/spec-source-orientation.html) has been amended with the following changes: DeviceOrientation Event Specification - W3C on GitHub Abstract. This specification defines several new DOM events that provide information about the physical orientation and motion of a hosting device. Read more...<http://w3c.github.io/deviceorientation/spec-source-orientation.html> - added 'deviceorientationabsolute' event, - the already existing 'deviceorientation' event is now 'relative' by default. The idea is that 'deviceorientationabsolute' event can be used in Augmented Reality applications (when the direction of the magnetic north is important). While the 'deviceorientation' event would be suitable for Virtual Reality applications or games. In particular the reasons behind this change are the following: - compatibility of 'deviceorientation' with Safari on iOS (where it is 'relative' by default). - 'deviceorientation' does not require magnetometer anymore and is not distorted by potential external magnetic field. - usability of 'deviceorientation' for VR applications (e.g. no 'sensor drift' which occurred in the previous 'absolute' implementation) These changes have been implemented in Chrome for Android but are currently in 'experimental' state, i.e. not yet enabled by default. thanks, Tim
Received on Friday, 4 December 2015 22:12:11 UTC