New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

How much needs to be hidden from pages that lose focus during NFC operations? #53

Open
jyasskin opened this Issue Sep 22, 2015 · 1 comment

Comments

Projects
None yet
2 participants
@jyasskin

jyasskin commented Sep 22, 2015

The current spec allows pages to start operations in the foreground, and then leaks them some information if an event happens while they're unfocused/obscured (e.g. whether an NFC device came nearby). Does that match the security model folks are thinking about?

@zolkis

This comment has been minimized.

Show comment
Hide comment
@zolkis

zolkis Sep 23, 2015

Contributor

Pasting the context here.

Problem:

jyasskin: This looks like an information leak: while the page is in the background, it learns the instant an NFC radio comes nearby. Instead, maybe just ignore any nearby devices until the page is focused again?

Reply:

zolkis: In order to set up a watch, the page needs to get permission, and they do get a Promise. Then we need to respect the functionality: if the page is put in the background, there needs to be a feedback why the expected functionality (data transfer) does not happen. We can create an issue (i.e. needs more discussion) if you think this is not a good policy.

Contributor

zolkis commented Sep 23, 2015

Pasting the context here.

Problem:

jyasskin: This looks like an information leak: while the page is in the background, it learns the instant an NFC radio comes nearby. Instead, maybe just ignore any nearby devices until the page is focused again?

Reply:

zolkis: In order to set up a watch, the page needs to get permission, and they do get a Promise. Then we need to respect the functionality: if the page is put in the background, there needs to be a feedback why the expected functionality (data transfer) does not happen. We can create an issue (i.e. needs more discussion) if you think this is not a good policy.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment