Re: [deviceorientation] Add API for requesting permission to receive device motion / orientation events (#57)

From the study referenced in that Wired article (PDF paper: https://sensor-js.xyz/webs-sixth-sense-ccs18.pdf) the recommendations given to browser vendors are as follows:

> * W3C’s recommendation for disabling sensor access on crossorigin
> iframes [80] will limit the access from untrusted thirdparty
> scripts and is a step in the right direction. However,
> Safari and Firefox are the only two browsers that follow this
> recommendation. Our measurements indicate that scripts
> that access sensor APIs are frequently embedded in crossorigin
> iframes (67.4% of the 31 444 cases). This shows that
> W3C’s mitigation would be effective at curbing the exposure
> to untrusted scripts. Allowing sensor access on insecure
> pages is another issue where browsers do not follow the
> W3C spec: all nine browsers we studied allowed access to
> sensors on insecure (HTTP) pages.
> 
> * Feature Policy API [16], if deployed, will allow publishers
> to selectively disable JavaScript APIs. Publisher may disable
> sensor APIs using this API to prevent potential misuses by
> the third-party scripts they embed.
> 
> * Provide low resolution sensor data by default, and require
> user permission for higher resolution sensor data.
> 
> * To improve user awareness and curb surreptitious sensor
> access, provide users with a visual indication that the sensor
> data is being accessed.
> 
> * Require user permission to access sensor data in private
> browsing mode, limit resolution, or disable sensor access all
> together.
> 
> [80] Rich Tibbett, Tim Volodine, Steve Block, and Andrei Popescu. 
> 2018. DeviceOrientation event specification. 
> https://w3c.github.io/deviceorientation/
> 
> [16] Ian Clelland. 2017. Feature policy: Draft community group 
> report. 
> https://wicg.github.io/feature-policy/.

This specification could instead be updated to include normative text that limits the sampling rate for `deviceorientation`, `deviceorientationabsolute` and `devicemotion` events to less than or equal to 60 Hz as effective mitigation to fingerprinting and other security and privacy issues.

At that point, a permissions API could then be introduced for accessing higher frequency sensor data from devices. Or, just require higher frequency sensor data to be obtained only via the Generic Sensors API going forward.

Incremental improvements based on these research recommendations seem possible. Putting all access to these events behind a permission dialog seems like a Really Big Gun to start with. It may still be required to eventually look at that approach but for an API that has been available for 8+ years this could be extremely damaging for legitimate use cases given its widespread adoption.


-- 
GitHub Notification of comment by richtr
Please view or discuss this issue at https://github.com/w3c/deviceorientation/issues/57#issuecomment-447396058 using your GitHub account

Received on Friday, 14 December 2018 17:33:32 UTC