Re: [whatwg] Password managers ignoring autocomplete='off' harming security

[Anne van Kesteren]

On Thu, Oct 2, 2014 at 3:12 AM, Dan Poltawski d...@moodle.com wrote:
 The most basic case of autocompleting on the same site is the one
 which is most problematic for us.

 A traditional username/password to login to the site with autocomplete
 enabled and functioning as expected - but then after the user has
 logged in, they do something on a page with one of these (i'll now
 call) masked fields, and without them noticing - that field is
 autocompleted with their login password. Previously we could prevent
 that behaviour by disabling autocomplete on these fields.

 Note a more traditional example of this which might affect more sites
 is something like a 'create new user' form where the password would be
 erroneously set to the password of the user who is creating the
 accounts.

https://html.spec.whatwg.org/multipage/forms.html#autofill has some
ways of managing autofill. I'm not sure how much of it is implemented.
From that it seems you could use autocomplete=new-password, although
if that works as advertized it would have the problem Daniel Cheng
mentioned, so perhaps it's only used as heuristic.


-- 
https://annevankesteren.nl/

Re: [whatwg] Password managers ignoring autocomplete='off' harming security

[Dan Poltawski]

On 2 October 2014 05:15, Daniel Cheng dch...@google.com wrote:
 Doesn't adding this new input type defeat the whole point of ignoring
 autocomplete=off? Now sites that want to disable password managers will just
 use this for their password field, and we're back to square one.

Right and at what point does this end? If for our situation we're
forced to create our own masking solution which doesn't use a password
input, isn't a logical extension that some of these sites which been
trying to prevent password managers filling actual password fields
will just use this technique too?

On a slight tangent, as an avid 1password user I appreciate this
functionality of password managers to complete irrespective of what
the field says. But I disable the ability of the password manager to
auto-fill without my explicit input because I faced this kind of
issue. Perhaps the UX of auto-filling these fields could be considered
in a different way - all of these problem areas are on pages where the
user clearly knows they don't need their password filling in *any* of
the fields on the form so if made clear to them, wouldn't consent to
it.

Dan

 On Wed, Oct 1, 2014 at 12:19 PM, Dan Poltawski d...@moodle.com wrote:
  Hi All,
 
  Over the past few months all the browser vendors have moved towards
  ignoring autocomplete=off with password fields. I understand the
  rationale behind this, but in our software project this has lead to
  the frustrating situation where we seem to have no good option to deal
  with this and the change is actively harming the security of our
  users.
 
  To outline the situation in broad terms:
  * We have shared secrets on the page which we protect against shoulder
  surfing by using the password element with autocomplete=off
  * The password managers are now all auto-filling these fields with
  passwords on the same domain and in many cases without the user even
  noticing (optional fields they wouldn't look at)
  * The passwords then get stored in our shared-secret fields clear text
  and available to all their peers
  * This can then be used for privilege escalation etc
 
  It seems like our only option is avoid use of password field at all
  and invent our own 'fake' password field to protect our users
  passwords from being exposed. That seems like a really disappointing
  solution.
 
  (Apologies in advance if this is completely off-list, I saw some
  threads leading to this list and it wasn't clear to me if this sort of
  discussion was acceptable).
 
  cheers,
  Dan

Re: [whatwg] Adding a property to navigator for getting device model

[Mounir Lamouri]

On Wed, 1 Oct 2014, at 19:43, Jonas Sicking wrote:
 On Wed, Oct 1, 2014 at 2:27 AM, Mounir Lamouri mou...@lamouri.fr wrote:
  On Wed, 1 Oct 2014, at 15:01, Jonas Sicking wrote:
  On Tue, Sep 30, 2014 at 4:40 AM, Mounir Lamouri mou...@lamouri.fr
  wrote:
   On Wed, 24 Sep 2014, at 11:54, Jonas Sicking wrote:
   Thoughts?
  
   Do you have any data that makes you think that those websites would stop
   using UA sniffing but start using navigator.deviceModel if they had that
   property available?
 
  I know that the Cordova module for exposing this information is one of
  the most popular Cordova modules, so that's a pretty good indication.
  But I don't have data directly from websites.
 
  When you were pointing that websites currently do UA sniffing is it on
  the client side of the server side?
 
 I'd imagine UA sniffing happens more often on the server side, though
 I suspect it varies with the reason why people do it.
 
 But the Cordova API is client side, so there's definitely desire to
 have it there too.

Isn't Cordova experience feedback a bit out of scope if usually
developers do UA sniffing on the server side? It seems that such a
feature would mostly benefit web sites that already entirely live on the
client side and might be more inclined to do feature detection.

-- Mounir

[whatwg] Proposal: Wake Lock API

[Андрей Логвинов]

Can I suggest the following approach to wake lock interface:

1. User agent provides an interface to documents such that a document loaded 
into the browsing context can indicate whether it wishes to keep the device 
awake. Each browsing context has an independent state of this flag.
2. User agent manages global wake lock state considering the following 
circumstances:
* Whether the wake lock is currently applicable to some browsing context. 
This means that there is at least one browsing context that is not blurred and 
has wake lock flag set.
* Whether the wake lock is currently permitted by the state of the 
operating system (there is sufficient battery charge etc.)
User agent must observe the state of these conditions, acquiring the wake lock 
when they both become true and releasing the lock when one or both of them 
become false.
3. User agent has a global flag observable by each browsing context which 
indicates whether the global lock is currently held.
4. User agent recognizes some form of document identity (such as URL not 
including the fragment identifier) and resets context's wake lock flag when 
this identity changes.

The idea behind this is that as the global wake lock is shared between all 
browsing contexts (and thus not exclusively owned by any of them) and 
furthermore it is subject to conditions out of their control such as context 
being blurred or device having insufficient battery charge, it is undesirable 
that web applications handle acquisition/release (and failure of these 
operations) of the global wake lock themselves, rather, they should set wake 
lock preference and user agent should manage the global wake lock for them. 
Also, web applications should be able to observe the state of the global wake 
lock if they wish to take any special actions when the global wake lock is not 
actually set.

An implementation can e.g. look like this:
```
partial interface Document {
// an application can set this flag to true to request wake lock or false 
to cancel request
// this attribute is per-context
attribute boolean keepAwake;
 }

partial interface Navigator {
// an application can observe this attribute to be notified of the actual 
global lock status
// this attribute has the same value for all browsing contexts
[observable] readonly attribute boolean awakeLock;
}
```

Any comments are highly appreciated.

Kind regards,

Andrey Logvinov

Re: [whatwg] Adding a property to navigator for getting device model

[Jonas Sicking]

On Thu, Oct 2, 2014 at 3:57 AM, Mounir Lamouri mou...@lamouri.fr wrote:
 On Wed, 1 Oct 2014, at 19:43, Jonas Sicking wrote:
 On Wed, Oct 1, 2014 at 2:27 AM, Mounir Lamouri mou...@lamouri.fr wrote:
  On Wed, 1 Oct 2014, at 15:01, Jonas Sicking wrote:
  On Tue, Sep 30, 2014 at 4:40 AM, Mounir Lamouri mou...@lamouri.fr
  wrote:
   On Wed, 24 Sep 2014, at 11:54, Jonas Sicking wrote:
   Thoughts?
  
   Do you have any data that makes you think that those websites would stop
   using UA sniffing but start using navigator.deviceModel if they had that
   property available?
 
  I know that the Cordova module for exposing this information is one of
  the most popular Cordova modules, so that's a pretty good indication.
  But I don't have data directly from websites.
 
  When you were pointing that websites currently do UA sniffing is it on
  the client side of the server side?

 I'd imagine UA sniffing happens more often on the server side, though
 I suspect it varies with the reason why people do it.

 But the Cordova API is client side, so there's definitely desire to
 have it there too.

 Isn't Cordova experience feedback a bit out of scope if usually
 developers do UA sniffing on the server side? It seems that such a
 feature would mostly benefit web sites that already entirely live on the
 client side and might be more inclined to do feature detection.

If feature detection covered all the use cases, then why would the
Cordova module be so popular?

/ Jonas

Re: [whatwg] Adding a property to navigator for getting device model

[Mounir Lamouri]

On Fri, 3 Oct 2014, at 04:39, Jonas Sicking wrote:
 On Thu, Oct 2, 2014 at 3:57 AM, Mounir Lamouri mou...@lamouri.fr wrote:
  On Wed, 1 Oct 2014, at 19:43, Jonas Sicking wrote:
  On Wed, Oct 1, 2014 at 2:27 AM, Mounir Lamouri mou...@lamouri.fr wrote:
   On Wed, 1 Oct 2014, at 15:01, Jonas Sicking wrote:
   On Tue, Sep 30, 2014 at 4:40 AM, Mounir Lamouri mou...@lamouri.fr
   wrote:
On Wed, 24 Sep 2014, at 11:54, Jonas Sicking wrote:
Thoughts?
   
Do you have any data that makes you think that those websites would 
stop
using UA sniffing but start using navigator.deviceModel if they had 
that
property available?
  
   I know that the Cordova module for exposing this information is one of
   the most popular Cordova modules, so that's a pretty good indication.
   But I don't have data directly from websites.
  
   When you were pointing that websites currently do UA sniffing is it on
   the client side of the server side?
 
  I'd imagine UA sniffing happens more often on the server side, though
  I suspect it varies with the reason why people do it.
 
  But the Cordova API is client side, so there's definitely desire to
  have it there too.
 
  Isn't Cordova experience feedback a bit out of scope if usually
  developers do UA sniffing on the server side? It seems that such a
  feature would mostly benefit web sites that already entirely live on the
  client side and might be more inclined to do feature detection.
 
 If feature detection covered all the use cases, then why would the
 Cordova module be so popular?

I would love to know actually. Silvia, do you have any insights?

-- Mounir

Re: [whatwg] Adding a property to navigator for getting device model

[Silvia Pfeiffer]

On 3 Oct 2014 04:45, Mounir Lamouri mou...@lamouri.fr wrote:

 On Fri, 3 Oct 2014, at 04:39, Jonas Sicking wrote:
  On Thu, Oct 2, 2014 at 3:57 AM, Mounir Lamouri mou...@lamouri.fr
wrote:
   On Wed, 1 Oct 2014, at 19:43, Jonas Sicking wrote:
   On Wed, Oct 1, 2014 at 2:27 AM, Mounir Lamouri mou...@lamouri.fr
wrote:
On Wed, 1 Oct 2014, at 15:01, Jonas Sicking wrote:
On Tue, Sep 30, 2014 at 4:40 AM, Mounir Lamouri mou...@lamouri.fr

wrote:
 On Wed, 24 Sep 2014, at 11:54, Jonas Sicking wrote:
 Thoughts?

 Do you have any data that makes you think that those websites
would stop
 using UA sniffing but start using navigator.deviceModel if they
had that
 property available?
   
I know that the Cordova module for exposing this information is
one of
the most popular Cordova modules, so that's a pretty good
indication.
But I don't have data directly from websites.
   
When you were pointing that websites currently do UA sniffing is
it on
the client side of the server side?
  
   I'd imagine UA sniffing happens more often on the server side, though
   I suspect it varies with the reason why people do it.
  
   But the Cordova API is client side, so there's definitely desire to
   have it there too.
  
   Isn't Cordova experience feedback a bit out of scope if usually
   developers do UA sniffing on the server side? It seems that such a
   feature would mostly benefit web sites that already entirely live on
the
   client side and might be more inclined to do feature detection.
 
  If feature detection covered all the use cases, then why would the
  Cordova module be so popular?

 I would love to know actually. Silvia, do you have any insights?

I've not used it - maybe others have some insights.

Best Regards,
Silvia.

Re: [whatwg] Notifications: making requestPermission() return a promise

[Domenic Denicola]

My previous replies to this thread have been about more general issues 
regarding promises and exceptions where I felt the need to jump in. Now, about 
the actual specific case at hand...

From: whatwg [mailto:whatwg-boun...@lists.whatwg.org] On Behalf Of Anne van 
Kesteren

 Otherwise I would never expect this promise to be rejected as the user 
 declining notifications is not exceptional.

I think this is a judgment call. The definition of exceptional is always a 
bit tricky. Really it comes down to, should the developer always handle this 
case or not?

For example, failures like a file being unreadable can be considered 
exceptional, since often a developer doesn't want to handle such failures, but 
instead wants to put a big try {} block around a bunch of logic, and if any of 
it failed, say something went wrong.

I also maintain that this is partially in how the function is named. For 
example, if your function is called `writeToFile()` or 
`acquireNotificationPermission()`, it can be considered exceptional for it to 
fail.

To illustrate this, let's work in a world with only-sync calls, since that 
reduces peoples confusion about this new promises concept and what's 
appropriate there. The developer will likely include such calls in a sequence 
of operations, one after the other, and expect none of them to fail:

```js
acquireNotificationPermission();
var data = prepareNotificationData();
showNotification(data);
removeFromNotificationQueue(data);
```

in this example, any failures in any of these steps will bubble up to 
window.onerror, and get sent to telemetry. That seems OK, and in-line with the 
intent of the code.

Whereas, if the function is named `userAllowsNotifications()`, it is much 
clearer that you would do

```js
var canNotify = userAllowsNotifications();
if (canNotify) {
  var data = prepareNotificationData();
  showNotification(data);
  removeFromNotificationQueue(data);
}
```

So to me, the question comes down to: do we want to design our APIs around the 
model of `acquireNotificationPermission()`, where the developer codes as if 
getting permission is an expected normal thing? Or do we want to code them 
around the model of `userAllowsNotifications()`, where the developer is 
explicitly asking a question?

To answer some contentions that the latter style would force duplicate error 
handling with promises: it would not. Very similar to sync code, you would write

```js
userAllowsNotifications().then(canNotify = {
  if (canNotify) {
var data = prepareNotificationData();
showNotification(data);
removeFromNotificationQueue(data);
  }
});
```

and any other errors (e.g. programming errors, like if someone had typo'd 
prepareNotificationData()) would flow up to the developer tools, and eventually 
to window.onerror or similar once we get that specced [1]. You would not write 
an explicit `.catch(...)` to handle such failures.

(And yes, only Firefox's developer tools correctly show such errors; Chrome is 
embarrassingly behind in that regard.)

---

Bringing this back to requestPermission() and notifications: honestly, the name 
doesn't help me much in deciding which programming model we want. It could go 
either way.

So we should make a choice, as to whether we want developers to assume they 
will always get permission (in which case it should reject upon permission not 
being granted), or whether we want developers to ask the API whether they were 
granted permission (in which case it should give back a boolean fulfillment 
value or similar).


[1]: http://lists.w3.org/Archives/Public/public-whatwg-archive/2014Sep/0024.html

Re: [whatwg] Adding a property to navigator for getting device model

[Mounir Lamouri]

On Fri, 3 Oct 2014, at 05:50, Silvia Pfeiffer wrote:
 I've not used it - maybe others have some insights.

Sorry about that. I misread your previous messages and presumed that you
were related to the Cordova project.

-- Mounir

Re: [whatwg] Adding a property to navigator for getting device model

[eberhard speer jr.]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi,

Maybe you missed my initial message : I am a contributor [IPMC] to the
Apache DeviceMap Project. [http://incubator.apache.org/devicemap/]

DeviceMap does expert UA-sniffing both client and server-side.
Apache Cordova on the other hand is a mobile development framework which
uses HTML5/CSS/Javascript and via plug-ins allows access to device
features not or not consistently accessible [yet] via HTML5. The whole
is packaged in a wrapper targeting a specific platform [iOS, Android,...].
So, no 'UA-sniffing' going on there to format content, but HTML5/CSS and
javascript running inside a container which via the abstraction of a
WebView and plug-ins allows access to things like accelerometer,
camera, address-book etc.

If you are interested in the intricacies of UA-sniffing, client and
server-side, the use-cases, the esoterica etc I'll gladly contribute
what I can.

Regards,
eberhard speer jr.

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJULiUDAAoJEOxywXcFLKYc/BYH/RsrgBLLQHcgMfoEp2mU8bKW
u5Hrgb1mEIXNp3GO41JW4dX7J9rxTBYlrwMOnznLq2GwM7awiWBVPYvL4cgokAvY
xc3lesplBbNONCNq5xNPWHfDHTfxewjyOSPEnH9M/VyFEVsafxRKbMqUdlBLV44c
Cmp27o8NDwKih/NQGYEzIfvCfv9l3jR95BpCpGQefq+NdVu4M+PHPnI04VMA3SYZ
k2Yl/M0iBIzID3mhLUivTm2xO0OrP6ZqJBXXdpi1FrPzCk9e/I7ahtzJA8V1OwQM
O0KsTwf3zlvLOr75SVhlCdOf4/tWs2/zbu7/KSjLSZZLfdsdNPeMnd6rcSo8j2o=
=SMaM
-END PGP SIGNATURE-