- From: Ken Buchanan via GitHub <noreply@w3.org>
- Date: Fri, 12 Dec 2025 18:53:23 +0000
- To: public-webauthn@w3.org
@rmondello > A thoughtful user agent would also need to ensure that the Page Visibility API doesn’t leak the fact that modal UI is showing. We have been continuing to discuss Apple's proposal, and we are not as yet convinced of the privacy benefits. Page Visibility API is just one way that a page can detect the presence of a modal UI dialog occluding the content area of the browser. Another is that `mousemove` events would stop being fired when the mouse cursor is moved across the edge of the dialog area (on desktop, at least). It might be possible to allow mouse movement to fall through the dialog to the page and continue triggering events, but seeing the mouse cursor move to the location of the Close button on the dialog would still be an easy side channel to detect the presence of the dialog. On some browsers there will be more subtle ways like using `requestAnimationFrame` timing to determine if compositing optimizations are skipping work for content that is fully occluded by the dialog. I think this would need deeper implementation-specific investigations. There are other pros and cons that we have been talking about, but the privacy question is a key discussion point. Is your proposal still valuable if it is trading an easy side-channel information leakage for a slightly-less-easy leakage? -- GitHub Notification of comment by kenrb Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2228#issuecomment-3647738950 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 12 December 2025 18:53:24 UTC