[deviceorientation] Security and privacy section must be normative from Alexander Shalamov via GitHub on 2017-11-21 (public-geolocation@w3.org from November 2017)

From: Alexander Shalamov via GitHub <sysbot+gh@w3.org>
Date: Tue, 21 Nov 2017 14:48:51 +0000
To: public-geolocation@w3.org
Message-ID: <issues.opened-275738676-1511275731-sysbot+gh@w3.org>

alexshalamov has just created a new issue for https://github.com/w3c/deviceorientation:

== Security and privacy section must be normative ==
[Security & Privacy section](http://w3c.github.io/deviceorientation/spec-source-orientation.html#security-and-privacy) must be made normative to avoid interoperability issues related to cross-origin API access, exposure of powerful features only to secure context, etc.

Currently, browsers implement cross-origin access to the API differently:

**Cross-origin access is blocked in:**
- [Webkit](https://bugs.webkit.org/show_bug.cgi?id=150072)
- [Mozilla](https://hg.mozilla.org/releases/mozilla-aurora/rev/163849e878fc)

**Cross-origin access is allowed in:**
- Chromium ([Issue 598674](https://bugs.chromium.org/p/chromium/issues/detail?id=598674))
- Edge
- IE (IE11)

**Proposal:**
 - Make Security & Privacy normative
 - Block access to cross-origin iframes
 - As the Device Motion & Orientation exposes sensitive data, restrict access only to secure contexts
 - Reuse applicable mitigation strategies from Generic Sensor API https://w3c.github.io/sensors/#security-and-privacy

Please view or discuss this issue at https://github.com/w3c/deviceorientation/issues/46 using your GitHub account

Received on Tuesday, 21 November 2017 14:48:56 UTC