Re: HTML extension for system idle detection. from Jeremy Orlow on 2009-09-17 (public-webapps@w3.org from July to September 2009)

From: Jeremy Orlow <jorlow@chromium.org>
Date: Thu, 17 Sep 2009 10:35:43 -0700
To: Arve Bersvendsen <arveb@opera.com>
Cc: David Bennett <ddt@google.com>, public-webapps@w3c.org
Message-ID: <5dd9e5c50909171035l70c64ae6wa1dee399fcaa3f8f@mail.gmail.com>

On Thu, Sep 17, 2009 at 12:50 AM, Arve Bersvendsen <arveb@opera.com> wrote:

> On Thu, 17 Sep 2009 00:05:58 +0200, David Bennett <ddt@google.com> wrote:
>
>  I have a proposal for an extension to javascript to enable browsers to
>> access system idle information.  Please give me feedback and suggestions
>> on the proposal.
>>
>
>
> What exactly are the security and privacy implications of detecting system
> idle activity in the browser?
>

As far as I know, there really aren't any.  This was discussed on WhatWG
(before being directed here) and IIRC there were no serious security or
privacy concerns.  The minimum resolution of the event makes attacks based
on keystroke timing impossible.  Some people suggested that web apps could
do something "bad" while the user is away, but I don't think anyone could
come up with a good example of something "bad".  Can you think of any
specific concerns?

On Thu, Sep 17, 2009 at 2:43 AM, Robin Berjon <robin@berjon.com> wrote:

> Hi David,
>
> On Sep 17, 2009, at 00:05 , David Bennett wrote:
>
>> I have a proposal for an extension to javascript to enable browsers to
>> access system idle information.  Please give me feedback and suggestions on
>> the proposal.
>>
>> Thanks!
>>
>> SUMMARY
>>
>> There currently is no way to detect the system idle state in the browser.
>>  For example this makes it difficult to deal with any sort of chat room or
>> instant messaging client inside the browser since the idle will always be
>> incorrect; or allow for apps to control their speed or network resources
>> when a user is idle.
>>
>
> This sounds like it /could/ (not sure and no promises) be an area of work
> for DAP, given that it is about device/system information, and given that I
> would expect the user to be in very solid control of the security policy
> granting access to such information. I guess it could perhaps be exposed as
> a system property, part of the System Information work.

I'm not sure this is the type of API we need to ask the user about.  Web
apps can already detect when you're on their page, so I'm not sure how
valuable the additional information you would be leaking is.  I'd assume
browsers could have a big hammer like "disable idle reporting" for any users
who are particularly concerned.

In case it's not clear, I think this is a good proposal and all my concerns
were addressed in previous threads:
http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2009-August/022443.html

Received on Thursday, 17 September 2009 17:36:44 UTC