- From: Maximilian Metti via GitHub <sysbot+gh@w3.org>
- Date: Mon, 04 Dec 2017 20:43:27 +0000
- To: public-geolocation@w3.org
I agree that web security is an important mattter; however, I think we need to be a bit careful here when changing the spec on a feature that has been available for ~7 years. As the tip of the iceberg, as per [[SECURE_CONTEXTS](https://www.w3.org/TR/secure-contexts/#threat-risks)] all of the following sites that allow users to embed 360 video or panorama functionality in to their own web pages will break unless the top-level page also uses HTTPS: - https://developers.google.com/vr/concepts/vrview - https://www.facebook.com/notes/panoramic-photographers-on-facebook/facebook-panorama-embed-tutorial/172042586173194 - many others I work with sensors using these specs on a daily basis and have read many papers that have been cited in the argument for deprecation on insecure pages. These papers, although they present impressive research, do not provide any practical analysis on how personal information could be compromised through these browser, as the academic environment and variables are different from that of this spec (including the discrepancy of the academic firing rate, typically 100-200Hz, compared to maximum 60Hz in the browser), along with other factors that make their proposed machine learning approaches scalable (such as variety of training devices). Some papers aim to address such issues but ultimately note that results degrade significantly once less academic environments are in place. If the Generic Sensors API have a higher firing rate, we should evaluate the security of those sensors separately, though it seems hasty to cite studies to close down this longstanding spec on insecure origins when it is already deprecated for cross-origin applications, especially when the cited research variables doesn't match the spec recommendations (60Hz). Full disclosure: I work at a company that media publishers hire to create ads that use motion sensors. Many of these companies simply cannot afford to secure their webpages due to massive traffic on their website. These companies are not malicious. -- GitHub Notification of comment by maximilianmetti Please view or discuss this issue at https://github.com/w3c/deviceorientation/issues/47#issuecomment-349098932 using your GitHub account
Received on Monday, 4 December 2017 20:43:28 UTC