From fb42068d9207bdba780f6b5b7ec42ec843aba380 Mon Sep 17 00:00:00 2001 From: Matt Reynolds Date: Fri, 18 Oct 2019 16:49:03 -0700 Subject: [PATCH 1/2] Require secure context for gamepad state and events --- index.html | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/index.html b/index.html index bba99f2..e66b157 100644 --- a/index.html +++ b/index.html @@ -121,7 +121,7 @@ } - +

The Gamepad specification defines a low-level interface that represents @@ -212,7 +212,7 @@

This interface defines an individual gamepad device. 

-        [Exposed=Window]
+        [Exposed=Window, SecureContext]
         interface Gamepad {
           readonly attribute DOMString id;
           readonly attribute long index;
@@ -321,7 +321,7 @@ 

         device.
       

       
-        [Exposed=Window]
+        [Exposed=Window, SecureContext]
         interface GamepadButton {
           readonly attribute boolean pressed;
           readonly attribute boolean touched;
@@ -428,6 +428,12 @@ 

           each Gamepad present at the index in the array specified by its
           {{Gamepad/index}} attribute. Array indices for which there is no
           connected Gamepad with the corresponding index should return null.
+
+          

+          If the environment settings object is a non-secure
+          context return an empty array. Optionally, inform the developer
+          that the API can only be used from secure contexts.
+          

           
           

           The gamepad state returned from getGamepads() does not reflect
@@ -455,7 +461,7 @@ 

         GamepadEvent Interface
       

       
-        [Exposed=Window]
+        [Exposed=Window, SecureContext]
 
         interface GamepadEvent: Event {
           constructor(DOMString type, GamepadEventInit eventInitDict);
@@ -757,6 +763,10 @@ 

         page was loaded, the gamepadconnected event SHOULD be dispatched
         when the user presses a button or moves an axis.
       

+      

+        A user agent MUST NOT dispatch this event type if the
+        environment settings object is a non-secure context.
+

@@ -776,6 +786,10 @@

event for that gamepad to a window, a gamepaddisconnected event MUST be dispatched to that same window.

+

+ A user agent MUST NOT dispatch this event type if the + environment settings object is a non-secure context. +

From 4b68dde108615b98bd585a6c48ca5d21373acad4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcos=20C=C3=A1ceres?= Date: Fri, 25 Oct 2019 16:48:43 +1100 Subject: [PATCH 2/2] Do the check secure context check first --- index.html | 45 +++++++++++++++++++++++---------------------- 1 file changed, 23 insertions(+), 22 deletions(-) diff --git a/index.html b/index.html index e66b157..9c2fbf7 100644 --- a/index.html +++ b/index.html @@ -413,34 +413,35 @@

- getGamepads + getGamepads()
- Retrieve a snapshot of the data for the the currently connected and - interacted-with gamepads. Gamepads MUST only appear in the list if - they are currently connected to the user agent, and at least - one device has been interacted with by the user. If no devices have - been interacted with, devices MUST NOT appear in the list to avoid a - malicious page from fingerprinting the user. The length of the array - returned MUST be one more than the maximum index value of the Gamepad - objects returned in the array. The entries in the array MUST be the - set of Gamepad objects that are visible to the current page, with - each Gamepad present at the index in the array specified by its - {{Gamepad/index}} attribute. Array indices for which there is no - connected Gamepad with the corresponding index should return null. - +

+ The gamepad state returned from {{Navigator/getGamepads()}} does + not reflect disconnection or connection until after the + gamepaddisconnected or gamepadconnected events have + fired. +

- If the environment settings object is a non-secure - context return an empty array. Optionally, inform the developer - that the API can only be used from secure contexts. + If the environment settings object is a non-secure + context return an empty array. Optionally, inform the developer + that the API can only be used from secure contexts.

-

- The gamepad state returned from getGamepads() does not reflect - disconnection or connection until after the gamepaddisconnected - or gamepadconnected events have fired. + Otherwise, retrieve a snapshot of the data for the the currently + connected and interacted-with gamepads. Gamepads MUST only appear + in the list if they are currently connected to the user + agent, and at least one device has been interacted with by the + user. If no devices have been interacted with, devices MUST NOT + appear in the list to avoid a malicious page from fingerprinting + the user. The length of the array returned MUST be one more than + the maximum index value of the Gamepad objects returned in the + array. The entries in the array MUST be the set of Gamepad objects + that are visible to the current page, with each Gamepad present at + the index in the array specified by its {{Gamepad/index}} + attribute. Array indices for which there is no connected Gamepad + with the corresponding index should return null.

-

As an example, if there is one connected gamepad with an index of 1, then the following code snippet describes the expected behavior: