[web-bluetooth] AdvertisingEvent objects may contain service UUIDs that the site has not explicitly requested permission for. (#499) from Ovidio Ruiz-Henríquez via GitHub on 2020-06-01 (public-web-bluetooth-log@w3.org from June 2020)

From: Ovidio Ruiz-Henríquez via GitHub <sysbot+gh@w3.org>
Date: Mon, 01 Jun 2020 22:12:02 +0000
To: public-web-bluetooth-log@w3.org
Message-ID: <issues.opened-628761326-1591049521-sysbot+gh@w3.org>

odejesush has just created a new issue for https://github.com/WebBluetoothCG/web-bluetooth:

== AdvertisingEvent objects may contain service UUIDs that the site has not explicitly requested permission for. ==
Currently, `AdvertisingEvent`s that are fired for `BluetoothDevice`s for which advertisements are being watched may contain service UUIDs that the current site does not have permission to use. This is a privacy risk given that the site is only aware of the services that it explicitly requested for, but it may receive service UUIDs in the `AdvertisingEvent` that is was not aware of. The `AdvertisingEvent` should filter out services that the site did not explicitly request access for.

An example case for when this might happen is the following:
1. A site requests a `device` for service A.
2. The site calls `device.watchAdvertisements()`.
3. The device sends an advertisement packet with services A and B listed.
4. A `AdvertisingEvent` is fired on `device` containing service A and B in the `uuids` property.

Please view or discuss this issue at https://github.com/WebBluetoothCG/web-bluetooth/issues/499 using your GitHub account

Received on Monday, 1 June 2020 22:12:04 UTC