Restrict Device Orientation and Motion to frames with same security origin as the main frame. |
|||||||
Issue descriptionFollowing the discussion regarding potential exploits of sensor data like accelerometer the specification has been updated with a security section: http://w3c.github.io/deviceorientation/spec-source-orientation.html#security-and-privacy Safari (WebKit) and Firefox (gecko) have implemented patches to better address the security concerns, e.g. only allowing Device Orientation events from main page or subframes with same security origin. Microsoft is aware of the issue, however I don't know the status of their implementation. relevant bugs for reference: * Bug 686401 - Restrict DeviceMotion to top-level document and same-origin frames (https://bugzilla.mozilla.org/show_bug.cgi?id=686401) * Bug 1197901 - Risks in the current implementation of Firefox on Android in accessing to the mobile orientation and motion sensors via JavaScript codes (https://bugzilla.mozilla.org/show_bug.cgi?id=1197901) * crbug.com/523320 Risks in current privacy/security policies of accessing to the mobile orientation and motion sensors via JavaScript codes * crbug.com/421691 Security: Accelerometer/gyroscope leak keystrokes and speech * Bug 150072 - Device motion and orientation should only be visible from the main frame (https://bugs.webkit.org/show_bug.cgi?id=150072)
,
Apr 4 2016
,
Apr 5 2016
,
Apr 11 2016
Tim, Gecko doesn't actually restrict access to same-origin iframes, does it? https://bugzilla.mozilla.org/show_bug.cgi?id=686401 was resolved Won't Fix with the justification that the risk was low and didn't seem to justify the cost of breaking legitimate use cases.
,
Apr 11 2016
My understanding is that it does (from correspondence with mozilla dev). The fix ships with Firefox 46. Bug 1197901 - Risks in the current implementation of Firefox on Android in accessing to the mobile orientation and motion sensors via JavaScript codes (https://bugzilla.mozilla.org/show_bug.cgi?id=1197901) is the more recent one which contains the patch and is marked as fixed.
,
Mar 2 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/21a19aa03091e1b0b0be9ab87e97d86d15527b94 commit 21a19aa03091e1b0b0be9ab87e97d86d15527b94 Author: timvolodine <timvolodine@chromium.org> Date: Thu Mar 02 21:03:52 2017 Add rappor logging for Device Orientation on security origins different from the main frame To address privacy/security concerns regaring exposing sensor related information on cross origin sub frames it has been suggested to restict usage of the api to frames with same origin as the main frame ( crbug.com/523320 , crbug.com/598674). As a first step towards applying this restriction this patch adds some rappor logging to assess the current usage of Device Orientation on cross origin frames. This is to ensure we don't break pages and to analyze existing cross-origin use cases of the API. BUG=598674 Review-Url: https://codereview.chromium.org/2698723002 Cr-Commit-Position: refs/heads/master@{#454373} [modify] https://crrev.com/21a19aa03091e1b0b0be9ab87e97d86d15527b94/third_party/WebKit/Source/core/frame/DeviceSingleWindowEventController.cpp [modify] https://crrev.com/21a19aa03091e1b0b0be9ab87e97d86d15527b94/third_party/WebKit/Source/core/frame/DeviceSingleWindowEventController.h [modify] https://crrev.com/21a19aa03091e1b0b0be9ab87e97d86d15527b94/third_party/WebKit/Source/modules/device_orientation/DeviceMotionController.cpp [modify] https://crrev.com/21a19aa03091e1b0b0be9ab87e97d86d15527b94/third_party/WebKit/Source/modules/device_orientation/DeviceOrientationController.cpp [modify] https://crrev.com/21a19aa03091e1b0b0be9ab87e97d86d15527b94/tools/metrics/rappor/rappor.xml
,
Sep 7 2017
Incidentally, this keeps came up again. https://twitter.com/KrauseFx/status/905822185284972546 Instead of restricting to same origin, can we instead do what we did for vibrate, i.e. require a cross-origin frame to have had a user gesture before it can use the API? If you interact with the frame, that's effectively permission for the frame to do something. This limits the attack surface enough IMO that there's no incentive for trying to exploit this.
,
Sep 11 2017
Should this be higher priority?
,
Nov 14 2017
,
Dec 21 2017
Introducing of Feature Policies for the Device Orientation API (https://bugs.chromium.org/p/chromium/issues/detail?id=796894) will fix this issue.
,
Feb 15 2018
Issue 523320 has been merged into this issue.
,
May 8 2018
,
May 26 2018
This breaks embedded 360degree image panoramas in AMP. |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by rbyers@chromium.org
, Mar 29 2016