Comments (2)
I agree that web security is an important mattter; however, I think we need to be a bit careful here when changing the spec on a feature that has been available for ~7 years. As the tip of the iceberg, as per [SECURE_CONTEXTS] all of the following sites that allow users to embed 360 video or panorama functionality in to their own web pages will break unless the top-level page also uses HTTPS:
- https://developers.google.com/vr/concepts/vrview
- https://www.facebook.com/notes/panoramic-photographers-on-facebook/facebook-panorama-embed-tutorial/172042586173194
- many others
I work with sensors using these specs on a daily basis and have read many papers that have been cited in the argument for deprecation on insecure pages. These papers, although they present impressive research, do not provide any practical analysis on how personal information could be compromised through these browser, as the academic environment and variables are different from that of this spec (including the discrepancy of the academic firing rate, typically 100-200Hz, compared to maximum 60Hz in the browser), along with other factors that make their proposed machine learning approaches scalable (such as variety of training devices). Some papers aim to address such issues but ultimately note that results degrade significantly once less academic environments are in place.
If the Generic Sensors API have a higher firing rate, we should evaluate the security of those sensors separately, though it seems hasty to cite studies to close down this longstanding spec on insecure origins when it is already deprecated for cross-origin applications, especially when the cited research variables doesn't match the spec recommendations (60Hz).
Full disclosure: I work at a company that media publishers hire to create ads that use motion sensors. Many of these companies simply cannot afford to secure their webpages due to massive traffic on their website. These companies are not malicious.
from deviceorientation.
Fixed in #65.
from deviceorientation.
Related Issues (20)
- Broken references in DeviceOrientation Event Specification
- Behavior when event data cannot be provided is underspecified HOT 3
- DeviceOrientationEvent.absolute's value when data cannot be obtained
- Add automation support using WebDriver HOT 8
- Wide review tracker HOT 20
- Accessibility Checklist HOT 2
- Internationalization Checklist HOT 3
- Same origin S&P requirement conflicts with Permissions Policy integration HOT 3
- Guidance needed: how to acquire compass headings in a future-compatible manner? HOT 3
- "Status of this document" section needs to reflect join deliverable status HOT 8
- How to check when permission is denied? HOT 8
- Fix the build HOT 3
- Do we really need 3 permissions policies? HOT 7
- Abstract away underlying sensors HOT 2
- Fully active checks
- Alternative orientation representations? HOT 4
- Combined permission request is problematic HOT 6
- fire an orientation event need to use the dictionary HOT 1
- How reliable is interval? HOT 4
- Goodies from Accelerometer, Motion, Orientation, Gyro specs to bring over
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from deviceorientation.