Re: Request Web Security review of Gamepad API

Hi all, I've been working to review the draft and have questions. I
think some of these might be able to be turned into issues on github
but I wanted to start a discussion first.

1) I have read in the past that the id field sometimes contains things
like a serial number. Obviously this presents a very persistent
tracking identifier.

Mozilla says: in Firefox it will contain three pieces of information
separated by dashes (-):
Two 4-digit hexadecimal strings containing the USB vendor and product
id of the controller
The name of the controller as provided by the driver.
https://developer.mozilla.org/en-US/docs/Web/API/Gamepad/id

How is this exposed in other browsers? It seems like it would be
advantageous to require this string to _not_ contain uniquely
identifying information and to Non-normatively suggest an algorithm to
do so.

2) I'm confused by getGamepads:

a) why, in the example, is there a leading 'null'?  Is it indicating
there are two gamepads but not giving you information about the first
one? Why?
b) "Gamepads MUST only appear in the list if they are currently
connected to the user agent, and at least one device has been
interacted with by the user." - that's great. But what does
"interacted with by the user" mean? Ever since process start? For this
origin?

3) Gamepads are in the long tail of things that make the web a great
experience but are used very infrequently. Can this API be designed to
support a permission by making things like getGamepads async?  UAs
don't _need_ to implement a permission, but with synchronous APIs it
becomes _impossible_ to gate releasing user information via a
permission.

4) There doesn't seem to be any information about gamepadconnected and
disconnected as it relates to 'device has been interacted with by the
user'.  If I plug in a device, will my origins receive the connected
event? And then will every origin subsequently visit be able to query
my game pad because I interacted with it?


-tom

On 17 May 2018 at 03:28, Léonie Watson <tink@tink.uk> wrote:
> Hello Web Security,
>
> We would welcome your review of the Gamepad API specification [1], as part
> of our wide review before transitioning to Candidate recommendation (CR).
>
> If there are any issues arising from your review, please file them on the
> Gamepad Github repo [2], and apply the "wide review" and "security" labels
> to each issue. This will help us track your comments and respond
> accordingly.
>
> If there are no issues arising from your review, please let us know by reply
> to this thread.
>
> We would appreciate your comments no later than Friday 27th June 2018. Thank
> you.
>
> Léonie on behalf of the WebPlat Chairs and Gamepad Editors
> [1] https://www.w3.org/TR/2018/WD-gamepad-20180508/
> [2] https://github.com/w3c/gamepad/issues/new/
>
> --
> @LeonieWatson @tink@toot.cafe Carpe diem
>

Received on Friday, 18 May 2018 18:41:54 UTC