Contact emails
mikhail.p...@intel.com, alexander...@intel.com
Spec
https://github.com/WICG/feature-policy/pull/102
Summary
By default the deviceorientation, deviceorientationabsolute and devicemotion events will be restricted to top-level document and same-origin frames.
The default behavior can be modified with explicit enabling/disabling of the dedicated sensor policy-controlled features. The sensor policy-controlled features are shared between the Device Orientation events and the corresponding Generic Sensor motion sensor classes which expose same sensor data. Please see https://github.com/WICG/feature-policy/pull/102 for details.
Event name | Required sensor policy-controlled features |
“accelerometer”, “gyroscope” | |
“accelerometer”, “gyroscope”, “magnetometer” | |
“accelerometer”, “gyroscope” |
Motivation
There are several motivations behind this intent
Address security and privacy concerns of exposing sensor data to cross-origin subframes (pls see https://bugs.chromium.org/p/chromium/issues/detail?id=598674 )
Improve interoperability with Firefox and Safari by providing the same default behavior
Consistent behavior with the feature policies introduced in the Generic Sensor API (https://w3c.github.io/sensors/#feature-policy-api).
For example, if the ‘accelerometer’ feature is disabled in a frame, then it should not be possible to get the accelerometer data in the frame by any means including devicemotion events.
Both Generic Sensor API and DeviceOrientation Event API use the same mojo component on browser side, so the implementation of sensor feature policies there affects both the APIs.
Risks
Interoperability and Compatibility
Edge: No signals
Firefox: Shipped (DeviceMotion/Orientation events are restricted to top-level document and same-origin frames which is compatible with the intended default behavior)
Safari: Shipped (DeviceMotion/Orientation events are restricted to top-level document and same-origin frames which is compatible with the intended default behavior)
Web developers: No signals
Ergonomics
The Device Orientation API shape remains the same. However, web developers would need to explicitly enable the corresponding sensor policy-controlled features in order to use the API from a cross-origin subframe..
Activation
Web developers who use DeviceMotion/Orientation events from a cross-origin subframe will require the corresponding sensor policy-controlled features to be enabled.
Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?
Yes.
Is this feature fully tested by web-platform-tests?
Tests are to be added together with the intent implementation.
The WP tests for Generic Sensor feature policies are upstreamed https://chromium.googlesource.com/chromium/src/+/master/third_party/WebKit/LayoutTests/external/wpt/generic-sensor/generic-sensor-feature-policy-test.sub.js
Link to entry on the feature dashboard TBD
Requesting approval to ship?
Yes
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/270bfa24-3250-4fca-94af-c38063fe908c%40chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/b4f2a971-ca8c-47c9-899b-b0cedddc3ab1%40chromium.org.
My preferred longer term plan would also be to deprecate the legacy DeviceMotion/Orientation events.
That said, this change actually paves the way to that future by requiring web developers to use Feature Policy for cross-origin sensor access for the legacy events. The exactly same Feature Policy tokens and infrastructure are used by the next generation Generic Sensor-based APIs currently implemented in Chrome and available as an Origin Trial. This smooths out the migration path for web developers.
> As it currently stands the Chrome Origin trial doesn't address the concerns with our existing events. Perhaps there has been more advanced work on quantization to mitigate the risks?I'm not sure if this is the right thread to have that discussion. There may be privacy concerns with the existing or new APIs but the change proposed here does not add to them. In fact it does the opposite by disabling these APIs in embedded contexts unless the embedding page explicitly allows them.> As it currently stands the Chrome Origin trial doesn't address the concerns with our existing events.If you feel there are privacy concerns with existing events in Chrome, please file a bug. Here is our current plan for sensor UX for new APIs that we are exposing which you may also be interested in.Thanks,RaymesOn Thu, 21 Dec 2017 at 09:57 Jonathan Kingston <j...@mozilla.com> wrote:As it currently stands the Chrome Origin trial doesn't address the concerns with our existing events. Perhaps there has been more advanced work on quantization to mitigate the risks?My overarching concern is that these sensors are given to the web page without the users knowledge.I'm not convinced that we would be servicing our users well by continuing this unprompted access let alone providing this to third party advertisements to detect user and environment behaviour.
As it currently stands the Chrome Origin trial doesn't address the concerns with our existing events. Perhaps there has been more advanced work on quantization to mitigate the risks?My overarching concern is that these sensors are given to the web page without the users knowledge.I'm not convinced that we would be servicing our users well by continuing this unprompted access let alone providing this to third party advertisements to detect user and environment behaviour.