Comment from palmer@ on https://codereview.chromium.org/2847253002/#msg60:
Following this chain of links:
https://w3c.github.io/orientation-sensor/#usecases-requirementshttps://w3c.github.io/motion-sensors/#usecases-and-requirementshttps://w3c.github.io/motion-sensors/#security-and-privacyhttps://www.w3.org/TR/generic-sensor/#security-and-privacy
I'm left with the impression that we have a sensor that has high sample rate and
precision, and that that is necessary to support the use-cases, but that we
don't have a clear story on what kind of control/informed consent/visibility
people will have when using origins that use this API.
In particular, I have a feeling that we are not going to be able to have one
generic protection mechanism for all the sensors, because the sensors support
use-cases with different requirements. (Consider this API vs. the Ambient Light
Sensor API, for example. See
https://bugs.chromium.org/p/chromium/issues/detail?id=642731#c17)
Before I can give a security thumbs-up, I'd like to see realistic,
non-speculative use-cases for all the generic sensor APIs, and safety mechanisms
suited to each API/sensor type. The most likely available sensor mechanisms are:
* Reducing sample rate to the minimum necessary
* Reducing sample precision to the minimum necessary
* Requiring callers to be in the currently-focused tab
* Requiring callers to be in the top-level document
* Requiring callers to have received a user gesture before getting some samples
* Requiring callers to have received an origin-scoped permission (prompting)
(this is probably the least good defense mechanism, but may sometimes be
necessary)
The chrome-security-enamel@google.com team may be able to help you nail down
which defenses are best when and for which sensors.
reilly@, palmer@ Thanks for your comments!
We're now working to figure out the minimum required sensor readings sample rate and precision, this research however might be quite time-consuming.
The following mechanisms are already in place:
* Samples are send only to a currently visible page
* Requiring callers to be in the top-level document
* Sensor objects can be constructed only on secure contexts
Working on permissions infra is in progress.
The "* Requiring callers to have received a user gesture before getting some samples" option is something that we should start to work on.
Additionally we're investigating other mitigation strategies
https://github.com/w3c/sensors/issues/189
Comment 1 by maksim.s...@intel.com
, Nov 16 2016