Add Input Elements to Mitigation Strategies

Fixes #189.
w3c · May 15, 2017 · 112fe0d · 112fe0d
1 parent 0229a59
commit 112fe0d
Showing 1 changed file with 14 additions and 3 deletions.
diff --git a/index.bs b/index.bs
@@ -37,6 +37,8 @@ urlPrefix: https://html.spec.whatwg.org/multipage/; spec: HTML
       text: origin; url: origin-2
       text: navigating; url: navigate
       text: browsing context
+    urlPrefix: interaction.html
+      text: focused; url: focused
 urlPrefix: http://w3c.github.io/hr-time/; spec: HR-TIME-2
   type: interface
     text: DOMHighResTimeStamp; url: dom-domhighrestimestamp
@@ -50,6 +52,7 @@ urlPrefix: https://w3c.github.io/page-visibility; spec: PAGE-VISIBILITY
 
 <pre class=link-defaults>
 spec: webidl; type:dfn; text:attribute
+spec:html; type:attribute; for:HTMLInputElement; text:type
 </pre>
 
 
@@ -382,7 +385,7 @@ Limiting the maximum polling frequency prevents use cases
 which rely on low latency or high data density.
 
 
-<h4 id="stopping-sensor" dfn>Stopping the sensor altogether</h4>
+<h4 id="stop-sensor" dfn>Stop the sensor</h4>
 
 This is obviously a last-resort solution,
 but it can be extremely effective if it's temporal,
@@ -404,7 +407,7 @@ Discarding intermediary readings prevents certain use cases,
 such as those relying on certain kinds of filters.
 
 
-<h4 id="reducing-accuracy" dfn>Reducing accuracy</h4>
+<h4 id="reduce-accuracy" dfn>Reduce accuracy</h4>
 
 Reducing the accuracy of [=sensor readings=]
 or sensor reading timestamps
@@ -422,14 +425,22 @@ it shouldn't be used in practice
 as it is easy to filter out the added noise.
 
 
-<h4 id="informing-user">Keeping the user informed about API use</h4>
+<h4 id="inform-user">Keep the user informed about API use</h4>
 
 User agents may choose to keep the user informed
 about current and past use of the API.
 
 Note: this does not imply keeping a log of the actual [=sensor readings=]
 which would have issues of its own.
 
+<h4 id="input-elements">Input Elements</h4>
+
+When an <{input}> element, whose [=browsing context container=]'s [=node document=]'s
+[=origin=] is not [=same origin-domain=] with its [=parent browsing context=]'s document's
+[=origin=], is [=focused=], the user agent should [=stop the sensor=], or alternatively,
+[=reduce accuracy=] and [=limit maximum polling frequency=], to mitigate against PIN
+skimming attacks that try to correlate the user's input with sensor readings.
+
 
 <h2 id="concepts">Concepts</h2>