Re: Request Web Security review of Gamepad API from Tom Ritter on 2018-05-18 (public-webapps@w3.org from April to June 2018)

From: Tom Ritter <tom@ritter.vg>
Date: Fri, 18 May 2018 14:38:41 -0500
To: Florian Bösch <pyalot@gmail.com>
Cc: Léonie Watson <tink@tink.uk>, Webapps WG <public-webapps@w3.org>
Message-ID: <CA+cU71n6W5raWWM7PD_2Vknj65VxFnSrDV5uZ2+PxL2fYOSD+w@mail.gmail.com>

Okay, I think that's what I was after all along: Vendor/Device ID -
sure sounds good.

It's the Product Name that seems dangerous (and non-standard).

-tom



On 18 May 2018 at 14:33, Florian Bösch <pyalot@gmail.com> wrote:
> That's not what " USB vendor and product id" is. They are unique identifiers
> assigned by usb.org to each vendor and device they register. The
> unstructured "product name" is an optional string that some APIs/devices
> supply (or not). The vendor/device ID is not optional (and it isn't open to
> OS interpretations, localizations, etc.), it's a mandatory prerequisite to
> sell a USB device commercially, and serves as a unique identifier for each
> vendor and device so that developers know what device a user has.
>
> On Fri, May 18, 2018 at 9:27 PM, Tom Ritter <tom@ritter.vg> wrote:
>>
>> On 18 May 2018 at 14:10, Florian Bösch <pyalot@gmail.com> wrote:
>> > On Fri, May 18, 2018 at 8:41 PM, Tom Ritter <tom@ritter.vg> wrote:
>> >>
>> >> How is this exposed in other browsers? It seems like it would be
>> >> advantageous to require this string to _not_ contain uniquely
>> >> identifying information and to Non-normatively suggest an algorithm to
>> >> do so.
>> >
>> >
>> > In order to provide reasonable defaults for the variety of controllers
>> > there
>> > are, a developer needs to know what controllers a user is using. The
>> > alternative is having malfitting defaults and requiring users to rebind
>> > functions manually to suit their controller, or pick a configuration
>> > scheme
>> > for a controller from a list, both of which are substantially worse UX
>> > for
>> > things that "should just work" and which native applications can "make
>> > just
>> > work".
>> >
>> > If you keep making it harder to compete with native applications UX,
>> > it's to
>> > little of anybodies surprise that web applications can't compete with
>> > native
>> > applications. duh.
>>
>> What? How is saying "Playstation Controller Model 4" not indicating
>> what controller a user is using, and how is not saying "Playstation
>> Controller Model 4 Serial 28464927495" making the web ecosystem worse
>> than the native applications?
>>
>> -tom
>
>

Received on Friday, 18 May 2018 19:39:30 UTC