- From: Szymon Marczak via GitHub <noreply@w3.org>
- Date: Sat, 21 Jun 2025 22:03:35 +0000
- To: public-pointer-events@w3.org
> Add secure context criteria to pointerrawupdate event and getCoalescedEvents APIs to reduce its exposure to possible attacks. @NavidZ This does not stop any attacks. > Both of getCoaelscedEvents and pointerrawupdate APIs expose some high frequency input and might expose some fingerprinting possibilities to the app. This just limits fingerprinting to `https` websites. Considering that you can get free TLS certificates today this limitation is pointless and just makes [game] development a little bit harder (because you just can't open a local .html anymore, need https). There are other endless possibilities, such as [localhost tracking on mobile devices](https://localmess.github.io/). I hate to see these artificial limitations. Another example is limiting hash functions to secure contexts only. In those scenarios people just import a third party library, which is error prone and only adds technical debt because of this poor decision. A better fix would be a permission prompt-based system, regardless if the website uses encryption or not (and we all know that encryption != authenticity, right? RIGHT?) (see: screen capture on Wayland). -- GitHub Notification of comment by szmarczak Please view or discuss this issue at https://github.com/w3c/pointerevents/pull/318#issuecomment-2993790517 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Saturday, 21 June 2025 22:03:36 UTC