Primary eng (and PM) emails
Link to “Intent to Deprecate” thread
https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/2LXKVWYkOus%5B1-25%5D
Summary
For both DeviceOrientationEvent and DeviceMotionEvent, whenever these APIs are used in a non-secure browsing context, we have been showing deprecation warnings [1] since 2015. It is time to actually restrict these APIs to secure browsing contexts.
[1] https://chromium.googlesource.com/chromium/src/+/d2a9364e140da89b73dda49d5e786d0128199447%5E%21/
Motivation
This change brings Chromium’s implementations in line with the privacy and security recommendations in the spec [2], and is aligned with the overarching effort to deprecate powerful features on insecure origins [3].
[2] https://w3c.github.io/deviceorientation/#security-and-privacy
[3] https://www.chromium.org/Home/chromium-security/deprecating-powerful-features-on-insecure-origins
Interoperability and Compatibility Risk
Edge: Unknown.
Firefox: An intent was sent out for removal of all sensor APIs (on secure and insecure origins), but ultimately it was decided to keep DeviceOrientation/Motion for the time being as there was significant legitimate usage including WebVR. See [4] and [5].
Safari: The sensor APIs are gated on the “Motion & Orientation Access” setting, which is disabled by default in iOS 12.2 beta 1. However, there seems to be an ongoing discussion around what would be the best permission UX going forward. See [6].
[4] https://groups.google.com/forum/#!topic/mozilla.dev.platform/45XApRxACaM
[5] https://www.fxsitecompat.com/en-CA/docs/2018/various-device-sensor-apis-are-now-deprecated/
[6] https://github.com/w3c/deviceorientation/issues/57
Alternative implementation suggestion for web developers
Both APIs are still available in secure browsing contexts. Users (e.g. websites building VR/AR/XR experiences) are advised to migrate to HTTPS. In insecure contexts, the Screen Orientation API [8] can be used as an alternative way to detect and respond to orientation changes.
[8] https://w3c.github.io/screen-orientation/
Usage information from UseCounter
https://www.chromestatus.com/metrics/feature/timeline/popularity/668
https://www.chromestatus.com/metrics/feature/timeline/popularity/670
As of Feb 2019, insecure usages of DeviceOrientationEvent and DeviceMotionEvent are observed on ~0.82% and ~0.12% of page loads, respectively, and trending downwards. Out of 40 randomly selected sites that HTTP Archive indicated to have been using these features in the last 3 months, 20 sites appeared to be no longer using them and/or already migrated over to HTTPS. On 19 sites, no obvious user-visible changes were observed, and on a single site an eye-candy parallax effect stopped working.
Entry on the feature dashboard
https://www.chromestatus.com/feature/5874690627207168
https://www.chromestatus.com/feature/5556931766779904
The usage numbers are pretty high, so I skimmed through a few of the HTTPArchive hits myself. I also saw usage overwhelmingly from third-party contexts, usually with domain names that looked a lot like advertising. I didn't dig into the detail of whether or not the API was being used for fingerprinting or for some more benign purpose. The visible usage I saw was along the same lines as what Balazs notes below: parallax effects use this API, but nothing else that I saw in the sites I dug through. The breakage therefore seems smaller than the overall usage numbers would indicate.
That said, I'd like to understand the plan: simply locking the event handler to secure contexts could cause pages to start throwing exceptions. Can I assume that you'll follow the advice in https://w3c.github.io/deviceorientation/#security-and-privacy by allowing registration (e.g. `window.ondeviceorientation = whatever;`) and continuing to expose interfaces, but simply refusing to fire events in non-secure contexts?
(On that note, do we aim to follow the rest of the recommendations in that section as well? I didn't see the top-level browsing context/same-origin nested context restriction, for example, while skimming through //third_party/blink/renderer/modules/device_orientation. +timvo...@chromium.org)
The usage numbers are pretty high, so I skimmed through a few of the HTTPArchive hits myself. I also saw usage overwhelmingly from third-party contexts, usually with domain names that looked a lot like advertising. I didn't dig into the detail of whether or not the API was being used for fingerprinting or for some more benign purpose. The visible usage I saw was along the same lines as what Balazs notes below: parallax effects use this API, but nothing else that I saw in the sites I dug through. The breakage therefore seems smaller than the overall usage numbers would indicate.Yes, that matches my observations. Specifically, the two main use cases I observed were the 1) parallax effect, and 2) embedded street-view style widgets, which, however, appeared to be only probing the API.That said, I'd like to understand the plan: simply locking the event handler to secure contexts could cause pages to start throwing exceptions. Can I assume that you'll follow the advice in https://w3c.github.io/deviceorientation/#security-and-privacy by allowing registration (e.g. `window.ondeviceorientation = whatever;`) and continuing to expose interfaces, but simply refusing to fire events in non-secure contexts?Yes, that's the plan. For now, it will still be possible to register an event handler, it will simply never be fired.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAD1EjnY%3DXfAP68t_uGeSQqDLAfA_GLRuuK8pW44vW8gxCiUVvg%40mail.gmail.com.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAARdPYd6%3Dy6kpZOZ7QaqyQ5WTccTE-TFiwgtDM9h7-Fq9D4pxA%40mail.gmail.com.
The usage numbers are pretty high, so I skimmed through a few of the HTTPArchive hits myself. I also saw usage overwhelmingly from third-party contexts, usually with domain names that looked a lot like advertising.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAKXHy%3Ddv_SSYqgQTq7SmvB3LqPyssXh1Tq13KC4NGX7ZU4VfMQ%40mail.gmail.com.
On Tue, Feb 12, 2019 at 9:18 AM Mike West <mk...@chromium.org> wrote:The usage numbers are pretty high, so I skimmed through a few of the HTTPArchive hits myself. I also saw usage overwhelmingly from third-party contexts, usually with domain names that looked a lot like advertising.Is it possible to add usecounters that split the main context from third party context usage?I'd be more comfortable with breaking 3rd parties where we suspect the main use-case is fingerprinting, but it would be useful to understand how much of the usage is first-party contexts, which are more likely to have a legitimate use for the APIs.
There is one thing in there that's cause for concern, and that is `if(DeviceOrientationEvent)`. This feature detection is broken as it will throw an exception if the DeviceOrientationEvent interface isn't exposed. One has to do `if (window.DeviceOrientationEvent)` or `if (typeof DeviceOrientationEvent !== "undefined")`.Do you have numbers for how common that form for one of the two interfaces was?
One thing which could save the situation is that wpt.fyi shows that Safari (desktio) doesn't expose the interfaces. However, pointing Safari on iOS at http://w3c-test.org/orientation-event/idlharness.window.html (non-secure context) shows that it does expose the interface. So, mobile content could still well depend on the interfaces being exposed.
https://github.com/w3c/deviceorientation/pull/65 is the spec issue, and whatever conclusion we arrive at would be good to have reflected there as well.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAARdPYcwnEHmZ%3DLVqs828yzSi7moWtdZDZ6bD-qpyzKZb1A_DA%40mail.gmail.com.
This change shouldn't have affected your site however in Chrome 66 feature policy controls were activated for this feature. Documented here: https://github.com/w3c/webappsec-feature-policy/blob/master/features.md#sensor-featuresIf you are embedding content that listens for these events without the appropriate feature policy configured then there should be a console warning in DevTools. You should be able to enable usage of these policy-controlled features in an iframe by adding allow="gyroscope accelerometer magnetometer" to the <iframe> tag.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAEmk%3DMb2AffhjeXTYkO-wkr_MmvFQ4-E3uAbAD591eBFQaX2BA%40mail.gmail.com.
Hi. I'm running into the same issue. Where, exactly, did you add this?