Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WebVR should follow security and privacy considerations for Generic Sensors #8

Open
NellWaliczek opened this issue Sep 12, 2018 · 4 comments

Comments

@NellWaliczek
Copy link
Member

From @ddorwin on June 27, 2017 19:21

WebVR exposes sensor data to the Open Web Platform. The Generic Sensor API specification “defines a framework for exposing sensor data to the Open Web Platform in a consistent way.” [1] WebVR should follow this framework, especially the security and privacy considerations ([2]). The Security check algorithm ([3]) and other parts may also be useful.

The DeviceOrientation API is the most similar to WebVR, which essentially exposes a higher-resolution/frequency version of the same data. This spec defers entirely to [2]. [4]

One might argue that some items may not apply when a user gesture is required, but a gesture is not required for magic window. Thus, such differentiation would place more requirements on non-presenting WebVR than the more powerful presenting mode.

Note that integration with the Permissions API, which is recommended by [2], is also preferred for features that use Feature Policy (#86).


In particular, note that [2] requires that “all interfaces defined by this specification or extension specifications must only be available within a secure context.” Note also that Chrome intends to deprecate DeviceOrientation on insecure origins [5] (this is an older API that predates the guidance in the current spec).

In the context of these similar specs, it is hard to argue that WebVR, especially when not presenting, should be available on insecure contexts. Furthermore, if non-presenting WebVR is not available on insecure contexts, it seems weird to allow the more powerful presenting mode in such contexts.


[1] https://w3c.github.io/sensors/
[2] https://w3c.github.io/sensors/#security-and-privacy
[3] https://w3c.github.io/sensors/#security-check
[4] https://w3c.github.io/orientation-sensor/#security-and-privacy
[5] https://crbug.com/481604

Copied from original issue: immersive-web/webxr#249

@NellWaliczek
Copy link
Member Author

From @anssiko on June 29, 2017 8:48

Looping in the Generic Sensor API editors @rwaldron @pozdnyakov @alexshalamov who can help iron out the security and privacy considerations for the WebVR API when you start flesh out these aspects in the "v2.0" spec.

I agree with @ddorwin's assessment that this problem space is largely shared with that of the Generic Sensor API and the concrete sensor APIs that extend it, and as such it'd make sense to tap into this existing body of knowledge on the topic where appropriate.

Edit: related #250.

@NellWaliczek
Copy link
Member Author

From @annevk on July 25, 2017 7:41

FWIW, Mozilla has a policy of sorts that new APIs should use secure contexts. We haven't really consistently enforced it thus far, but I think it would make sense for VR to add the [SecureContext] annotation to its objects.

@NellWaliczek
Copy link
Member Author

From @annevk on September 29, 2017 8:49

A commit by @toji linked from here indicates [SecureContext] has been added to some of the APIs, but https://w3c.github.io/webvr/spec/1.1/ still lacks those annotations. What's the status here?

cc @bfgeek @dbaron

@peterclemenko
Copy link

I have to agree. This looks like a valid thing to implement given the nature and fidelity of the data involved. As a red teamer I could use data science methods to look at sensor data so I can analyze and deanonymize/identify the user.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants