Re: [w3c/gamepad] Re-enable Gamepad Access from HTTP (aka insecure) Context (Issue #203) from Matt Reynolds on 2024-05-10 (public-webapps-github@w3.org from May 2024)

From: Matt Reynolds <notifications@github.com>
Date: Fri, 10 May 2024 13:47:16 -0700
To: w3c/gamepad <gamepad@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/gamepad/issues/203/2105251689@github.com>

> Are you (the community) still interested in finding other approaches to mitigate privacy risks? Or have the community been settled on not making any changes to the GamePad permission?

We're always interested in better protecting the user's privacy. The permission discussion is ongoing, there are features we want to support through the API that wouldn't be appropriate if the only user consent is a button press so I think this is bound to happen eventually.

I also maintain device APIs like WebUSB and WebHID which use a per-device permission model. One of the frustrations with these APIs is you sometimes need to access the same device through multiple APIs and this currently requires multiple permission prompts. In my opinion, one prompt should be sufficient because the user shouldn't be expected to know or care about such low-level implementation details. If the user has already granted access for a site to control the device through a low-level interface, then we may as well grant permission to access the device through any interface. This puts the permission at a level that the user can actually understand.

If this sort of cross-API per-device permission were available then we could use it for Gamepad API as well. That's one way we could add a permission without an explicit "gamepad" permission. I think a per-device permission makes sense for gamepads because the capabilities can vary significantly. Just because the user is okay with a site accessing their button and thumbstick inputs doesn't mean they're okay with it accessing microphone data or motion sensor data.

> From my understanding, the gamepad instance, once grabbed, is immutable

This is true in the current version of the spec but it was initially unclear on whether getGamepads returns live objects or immutable snapshots and the current implementations don't agree. The Chromium implementation is immutable while Safari and Firefox are closer to live objects. It's unfortunate that the behavior differs but it isn't easily fixable without potentially breaking applications that rely on the current behaviors.

I don't have a strong opinion either way, I think we should do what's best for developers and I suspect that's a live object. So, there's a chance we may change the API to return live objects someday.

> The idea is basically blocking the gamepad from being updated outside of user focus before user explicitly allows it. 

Yes, this makes sense. I think we should improve the API's user consent by amending the spec to require window focus when handling the initial gamepad gesture. Filed as #206

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3c/gamepad/issues/203#issuecomment-2105251689
You are receiving this because you are subscribed to this thread.

Message ID: <w3c/gamepad/issues/203/2105251689@github.com>

Received on Friday, 10 May 2024 20:47:20 UTC