Issue 904439 link

Starred by 1 user

Issue metadata

Status:	Available
Owner:	----
Cc:	reillyg@chromium.org mlamouri@chromium.org
Components:	Blink>PermissionsAPI Blink>Sensor>DeviceOrientation
EstimatedDays:	----
NextAction:	----
OS:	----
Pri:	1
Type:	Bug
M-73

DeviceOrientationEvent / DeviceMotionEvent should be restricted to secure contexts

Project Member Reported by engedy@chromium.org, Nov 12

Issue description

As per the "Security and privacy considerations" in the spec, to minimize privacy risks, the chance of fingerprinting and other attacks, the implementations should [...] fire events only on secure browsing contexts [...].

This behavior would also be consistent with other Generic Sensor APIs which are restricted to secure contexts.

Comment 1 by reillyg@chromium.org, Nov 14

Just FYI we have metrics for insecure usage of DeviceOrientationEvent and DeviceMotionEvent:

* Blink.UseCounter.Features.DeviceMotionInsecureOrigin
* Blink.UseCounter.Features.DeviceOrientationAbsoluteInsecureOrigin
* Blink.UseCounter.Features.DeviceOrientationInsecureOrigin

Usage is sadly rather high. mlamouri@ did a lightning talk on this at a past BlinkOn. IIRC the usage is mostly advertising.

Comment 2 by reillyg@chromium.org, Nov 14

Status: Available (was: Untriaged)

engedy@ are you interested in taking ownership of this?

Comment 3 by engedy@google.com, Dec 3

Not necessarily me personally, but this is on the team's TODO list.

►

Issue 904439 link

Issue metadata

DeviceOrientationEvent / DeviceMotionEvent should be restricted to secure contexts

Issue description

Comment 1 by reillyg@chromium.org, Nov 14

Comment 1 Deleted

Comment 2 by reillyg@chromium.org, Nov 14

Comment 2 Deleted

Comment 3 by engedy@google.com, Dec 3

Comment 3 Deleted

Sign in to add a comment