Martin, you gave some reasonable mitigation steps earlier in this thread that I think are probably worth revisiting.
Anne and Martin, can you think of changes to request for the Sensor API that we would resolve or reasonably improve the existing fingerprinting concerns? On Wed, Jan 10, 2018 at 7:23 PM, Martin Thomson <m...@mozilla.com> wrote: > What Anne said. None of these actions help address the primary concern. > > On Wed, Jan 10, 2018 at 2:23 PM, <cwiemeer...@mozilla.com> wrote: > > Exciting to hear, Kyle! > > > > As mentioned earlier, Chrome for Android M63+ has shipped an > implementation (disabled by default, with an Origin Trial) of the Generic > Sensor API, but TAG review (https://github.com/w3ctag/ > design-reviews/issues/207) feedback needs to be addressed. > > > > For our WebVR use cases, there's an ongoing discussion for the WebVR > Polyfill here: https://github.com/googlevr/cardboard-vr-display/issues/10 > > > > Jonathan/Anne/Martin/Kyle, feel free to correct me, but as I see it, > here's a potential process of the actionable steps we can take to securing > the legacy Device Sensor APIs today and eventually deprecating them in > favor of an implementation of the Generic Sensor APIs. > > > > 1. Lock down the Device Sensor APIs APIs in Gecko to only secure > contexts, with `deviceorientation`, `absolutedeviceorientation`, and > `devicemotion` being enabled by default. > > * Despite the bug title, the WIP patches in http://bugzil.la/1359076 do > handle this with the `device.sensors.orientation.enabled` flag: > > * https://reviewboard.mozilla.org/r/160400/diff/#index_header > > > > 2. Implement the Generic Sensor APIs in Gecko. > > * Spec: > > * https://w3c.github.io/sensors/ > > * File a Bugzilla tracking bug for Gecko implementation (à la > https://crbug.com/750018). > > * Announce Intent to Implement. > > * Chrome's platform status: > > * Platform feature page: > > * https://www.chromestatus.com/feature/5698781827825664 > > * Blink's Implementation (shipped in M63): > > * https://crbug.com/750018 > > * https://groups.google.com/a/chromium.org/forum/#!topic/ > blink-dev/TkfdVqYAYiE > > * https://developers.google.com/web/updates/2017/09/sensors- > for-the-web > > * Blink's Origin Trial (ends Feb 27, 2018): > > * https://groups.google.com/a/chromium.org/forum/#!topic/ > blink-dev/2zPZt3watBk > > * https://github.com/GoogleChrome/OriginTrials/ > blob/gh-pages/available-trials.md#current-experimental-features > > > > 2. Implement the Feature Policy API in Gecko. > > * Spec: > > * https://wicg.github.io/feature-policy/ > > * https://w3c.github.io/sensors/#feature-policy-api > > * https://github.com/WICG/feature-policy/blob/gh-pages/ > features.md#sensor-features > > * https://docs.google.com/document/d/1k0Ua-ZWlM_ > PsFCFdLMa8kaVTo32PeNZ4G7FFHqpFx4E/edit > > * File a Bugzilla tracking bug for Gecko implementation for implementing > the Feature Policy (à la Blink's: https://crbug.com/623682). > > * File a Bugzilla tracking bug for Gecko implementation for having the > legacy Device Orientation API (or Generic Sensor API, if it's implemented) > use the Feature Policy (à la Blink's: https://crbug.com/750018). > > * Announce Intent to Implement the Feature Policy. > > * Announce Intent to Implement the Feature Policy for the Device > Orientation and/or Generic Sensor APIs. > > * Chrome's platform status: > > * Platform feature page for Feature Policy: > > * https://www.chromestatus.com/feature/5694225681219584 > > * Blink's Implementation for Feature Policy (shipped in M60): > > * https://crbug.com/623682 > > * https://bugs.chromium.org/p/chromium/issues/detail?id= > 623682&desc=2 > > * Platform feature page for page for Feature Policies for the Device > Orientation API (i.e., `deviceorientation`, `deviceorientationabsolute`, > and `devicemotion` events): > > * https://www.chromestatus.com/feature/5758486868656128 > > * Blink's in-progress Implementation for Feature Policy for the > Device Orientation API: > > * https://crbug.com/750018 > > > > 4. Deprecate the legacy Device Orientation API in Gecko. > > * This email thread could suffice, but a new thread might be best. > > * Close http://bugzil.la/1359076, and file a new Bugzilla tracking bug > for removing Gecko implementation. > > * Announce Intent to Deprecate. > > _______________________________________________ > > dev-platform mailing list > > dev-platform@lists.mozilla.org > > https://lists.mozilla.org/listinfo/dev-platform > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
