Re: Request Web Security review of Gamepad API

On 18/05/2018 19:41, Tom Ritter wrote:
> Hi all, I've been working to review the draft and have questions. I
> think some of these might be able to be turned into issues on github
> but I wanted to start a discussion first.

Thanks Tom. We appreciate you taking time to review this.

> 
> 1) I have read in the past that the id field sometimes contains things

> like a serial number. Obviously this presents a very persistent
> tracking identifier.
> 
> Mozilla says: in Firefox it will contain three pieces of information
> separated by dashes (-):
> Two 4-digit hexadecimal strings containing the USB vendor and product
> id of the controller
> The name of the controller as provided by the driver.
> https://developer.mozilla.org/en-US/docs/Web/API/Gamepad/id
> 
> How is this exposed in other browsers? It seems like it would be
> advantageous to require this string to _not_ contain uniquely
> identifying information and to Non-normatively suggest an algorithm to
> do so.

It sounds as though this one has been answered with Florian's help. For 
the rest I'd suggest opening Github issues because that's where we get 
most work done these days.

I'm happy to transfer them if it'd be helpful?

  Léonie.



> 
> 2) I'm confused by getGamepads:
> 
> a) why, in the example, is there a leading 'null'?  Is it indicating
> there are two gamepads but not giving you information about the first
> one? Why?
> b) "Gamepads MUST only appear in the list if they are currently
> connected to the user agent, and at least one device has been
> interacted with by the user." - that's great. But what does
> "interacted with by the user" mean? Ever since process start? For this
> origin?
> 
> 3) Gamepads are in the long tail of things that make the web a great
> experience but are used very infrequently. Can this API be designed to
> support a permission by making things like getGamepads async?  UAs
> don't _need_ to implement a permission, but with synchronous APIs it
> becomes _impossible_ to gate releasing user information via a
> permission.
> 
> 4) There doesn't seem to be any information about gamepadconnected and
> disconnected as it relates to 'device has been interacted with by the
> user'.  If I plug in a device, will my origins receive the connected
> event? And then will every origin subsequently visit be able to query
> my game pad because I interacted with it?
> 
> 
> -tom
> 
> On 17 May 2018 at 03:28, Léonie Watson <tink@tink.uk> wrote:
>> Hello Web Security,
>>
>> We would welcome your review of the Gamepad API specification [1], as part
>> of our wide review before transitioning to Candidate recommendation (CR).
>>
>> If there are any issues arising from your review, please file them on the
>> Gamepad Github repo [2], and apply the "wide review" and "security" labels
>> to each issue. This will help us track your comments and respond
>> accordingly.
>>
>> If there are no issues arising from your review, please let us know by reply
>> to this thread.
>>
>> We would appreciate your comments no later than Friday 27th June 2018. Thank
>> you.
>>
>> Léonie on behalf of the WebPlat Chairs and Gamepad Editors
>> [1] https://www.w3.org/TR/2018/WD-gamepad-20180508/
>> [2] https://github.com/w3c/gamepad/issues/new/
>>
>> --
>> @LeonieWatson @tink@toot.cafe Carpe diem
>>

-- 
@LeonieWatson @tink@toot.cafe Carpe diem

Received on Saturday, 19 May 2018 12:15:59 UTC