I think that 60Hz is too high a rate for this.
I suggest that we restrict this to top-level, foreground, and secure
contexts. Note that foreground is a necessary precondition for the
attack, so that restriction doesn't really help here. Critically,
rate limit access much more than the 60Hz recom
The issue is now resolved and a new version of the add-on has been
submitted to AMO for review. Special thanks to Andy Mackay for the fix.
Cheers!
On 24 April 2017 at 10:32, Anthony Hughes wrote:
> This is a heads up that crash charts provided by Bugzilla Socorro Lens are
> currently broken in
This is a heads up that crash charts provided by Bugzilla Socorro Lens are
currently broken in Nightly due to the landing of bug 1317697. Any
suggestions for how I can fix this are welcome via
https://github.com/ashughes1/bugzilla-socorro-lens/issues/20.
Thank you
--
Anthony Hughes
Senior Qualit
As a follow up, it looks like the device motion events defined in the
device sensors:
http://searchfox.org/mozilla-central/source/dom/system/nsDeviceSensors.cp
should also be restricting based on isSecureContext.
The spec mentions "should take into consideration the following suggestions"
:
https:
As mentioned a permission prompt isn't great.
In it's current state it should probably be considered a "powerful feature"
that we can remove just for secure context. Granted this doesn't fix the
exploit mentioned here though.
Freddy highlighted that the spec itself suggests the Generic Sensor API
The Ambient Light spec defers its security and privacy considerations to
the generic sensors specification, which states
> all interfaces defined by this specification or extension
specifications must only be available within a secure context.
Would we require telemetry before we restricted this
The post suggests that limiting precision would mitigate the issue. We
could do that immediately while we wait for telemetry to roll in.
The post says reducing the frequency of the readings would not be very
effective, but maybe we should reduce the frequency anyway? Possibly
firing an event eve
Hi,
there is a relatively recent blog post [1] by Lukasz Olejnik and Artur
Janc that explains how one can steal sensitive data using the Ambient
Light Sensor API [2].
We ship API and its enabled by default [3,4] and it seems we have no
telemetry for this feature.
Unshipping for non-secure conte
On Wed, Oct 26, 2016 at 9:30 AM, Chris Peterson wrote:
> I have a patch that makes the Battery API chrome-only and fixes the
> web-platform tests.
We ended up landing this patch and thereby no longer expose the API to
web sites in Firefox:
https://bugzilla.mozilla.org/show_bug.cgi?id=1313580
9 matches
Mail list logo
