As mentioned a permission prompt isn't great. In it's current state it should probably be considered a "powerful feature" that we can remove just for secure context. Granted this doesn't fix the exploit mentioned here though.
Freddy highlighted that the spec itself suggests the Generic Sensor API is the security model which requires: https://www.w3.org/TR/generic-sensor/#secure-context I can't see that as a restriction in our codebase though? This looks like a specification violation here. Thanks Jonathan On Mon, Apr 24, 2017 at 2:38 PM, Frederik Braun <fbr...@mozilla.com> wrote: > The Ambient Light spec defers its security and privacy considerations to > the generic sensors specification, which states > > > all interfaces defined by this specification or extension > specifications must only be available within a secure context. > > > Would we require telemetry before we restricted this to secure contexts? > > > > On 24.04.2017 15:24, Frederik Braun wrote: > > Hi, > > > > there is a relatively recent blog post [1] by Lukasz Olejnik and Artur > > Janc that explains how one can steal sensitive data using the Ambient > > Light Sensor API [2]. > > > > We ship API and its enabled by default [3,4] and it seems we have no > > telemetry for this feature. > > > > > > Unshipping for non-secure context and making it HTTPS-only wouldn't > > address the attack. > > > > The API as implemented is using the 'devicelight' event on window. > > I suppose one might also be able to implement a prompt for this, but > > that doesn't sound very appealing (prompt fatigue, etc., etc.). > > > > > > What do people think we should do about this? > > > > > > > > Cheers, > > Freddy > > > > > > > > > > > > [1] > > https://blog.lukaszolejnik.com/stealing-sensitive- > browser-data-with-the-w3c-ambient-light-sensor-api/ > > [2] https://www.w3.org/TR/ambient-light/ > > [3] It is behind the dom.sensors.enabled (sic!) flag. > > [4] > > http://searchfox.org/mozilla-central/source/dom/system/ > nsDeviceSensors.cpp > > > > _______________________________________________ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
