On Mon, Jun 4, 2012 at 5:16 AM, Paul Theriault <[email protected]> wrote: > My main concern was side-channel attacks - there have been several papers > released on sniffing passwords based on accelerometer information. Limiting > access to the foreground only would be a elegant security solution to that > specific threat. However on reflection, I think the permission depends on > the type of sensor (or combination of sensors) being made available. Or is > the point of this API that all sensors must be designed to be safe for > untrusted web content?
I agree that we should do a per-sensor judgement. For get-information-from-outside-world sensors that we currently have implemented: * acceleration/gravity * magnetic field/orientation * rotation * ambient light * proximity I think turning the sensor off for background pages and apps would be the safer thing to do. I can't think of any great use cases that it would disable off the top of my head, but I could be wrong. / Jonas _______________________________________________ dev-webapps mailing list [email protected] https://lists.mozilla.org/listinfo/dev-webapps
