- From: cbmpvr <notifications@github.com>
- Date: Fri, 05 Mar 2021 10:44:13 -0800
- To: w3c/gamepad <gamepad@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3c/gamepad/issues/145@github.com>
Hi there, we've recently seen reports, by way of various browser consoles, that the Gamepad API will soon require a secure context. It wasn't exactly clear on how to provide feedback on this change, although the Gamepad W3C spec mentions that GitHub issues are the preferred avenue for discussion. We understand that the reasoning for this change is to limit browser fingerprinting, and the general push/trend towards keeping things more secure/following best practices. Which we completely understand and agree with. However, there are applications where a secure context is not always possible. At least not without compromising security in some other way. Our products are network appliances which have a web management interface. Specifically one of these products is responsible for processing and managing extremely large LED displays (like you see in stadiums, rock concerts, side of buildings, etc). Our application leverages the awesome Gamepad API to allow our technicians to quickly navigate and adjust display uniformity via a gamepad controller. This works amazingly well. So thank you for your work on getting this standardized! Problem is that these devices live on temporary private networks with statically assigned IP addresses. Many of which have no internet connectivity at all. To further complicate things, all of the devices connected to these processors are either personally owned, provided by third party contractors, or rented from a general equipment warehouse. Meaning that not only do we lack access to the general internet certificate infrastructure, we're also not even able to deploy our own root certificates. Leaving us with the only option of using self signed certificates, and eventually teaching our industry to ignore certificate errors altogether. Which then means that the requirement to use a secure context actually lessened general security as we teach users to just ignore the scary certificate errors. I for one would like to avoid living in that world, so humbly request for a reconsideration of the requirement for the Gamepad API to only be accessible via a secure context. If the main concern is purely fingerprinting. It seems like the current requirement of having the user interact with the gamepad first before it is accessible via the page already largely helps prevents general catch-all/flyby fingerprinting? but we understand that's likely many other factors at play here. As an aside; there seem to be many other users adversely affected by this change (some noted as mentions in #120). Although curiously we did not see an issue already logged for this? So here we are. Thanks, Chris Byrne Software Engineer Megapixel VR https://megapixelvr.com/ -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/gamepad/issues/145
Received on Friday, 5 March 2021 18:44:26 UTC