On Thu, Jan 4, 2018 at 5:50 PM, <hearcomestre...@gmail.com> wrote: > FYI: As implemented in Chrome, permission is automatically granted to use the > Generic Sensor API (`chrome://flags/#enable-generic-sensor`) in secure > contexts (e.g., HTTPS, localhost).
Requiring secure contexts is not a security feature. It's necessary if we are to persist permission, but an attacker can use HTTPS. Requiring focus is good, as is using feature policy (and a default allowlist of 'self' is a good starting point), but neither of those is entirely sufficient either. _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
