Firefox To Deprecate Sensor APIs
Written by Mike James   
Wednesday, 21 March 2018

Mozilla has decided to remove two W3C standards in Firefox. You might agree with its risk assessment, but it is a worrying time when browser makers get to pick and choose which standards are safe to use.

As a programmer you might agree that the browser sandbox, and the distance it puts between you and the hardware, is annoying. The idea that the browser is the operating system that you write for is an attractive one and if the browser were as powerful as the operating system then there would be no distinction between native apps and web apps.

Back in the days when Mozilla was trying to make Firefox an OS, lots of new hardware APIs were being added to allow access to the hardware needed to write apps for a phone. This was an interesting time because most of these new APIs were not part of any standard.

Now Mozilla has decided to deprecate the Ambient Light and Proximity Sensor APIs. At the moment these APIs are turned off by default in the current early beta/DevEdition and will be turned off in Firefox 62.

 

mozhacks

 

The reason for disabling these APIs is that both have been accused of security problems. The case against the proximity sensor API seems quite weak - just a basic idea that if data can be used to profile a user it will be. The case against the ambient light sensor API is stronger. Using it an attacker can discover the color of the current screen which might leak information on what web page the user was looking at. More realistically you could write a program that showed urls one at a time in using different styled for visited and unvisited states and then simply check for the color to discover if the user had visited the url. Less practical is the idea that an image or a QR code could be discovered by displaying each pixel in turn as big as the screen and checking for the color.

The solution in both cases is to degrade the accuracy of measurement and rate limit the access. Instead of doing this Mozilla have added flags that disable both APIs by default, and in the future the Device Orientation API will also be deprecated. Whether or not the APIs will be removed in the future is unclear and it probably depends on what the W3C do about amending the standards.

 

proxapi

At least two of these buttons won't work in the near future and some others might follow.

Your opinion on Mozilla's approach probably depends on how you view the severity of the threat and how much it is going to affect any apps you are working on. Interestingly Mozilla was very keen on the new Proximity API when if was being developed.

What it does indicate is that browser makers are becoming increasingly opinionated on how browsers should work; Microsoft, Google and Apple mainly to protect their business interests and Mozilla in an attempt to be the overtly good guy. It would be nice to say that the job of the browser maker was to create something that was as standard as possible, but this would ignore the imperfect operation of the standard makers. It also emphasises how difficult it is to create a safe and secure system because the ingenuity of man or woman knows no bounds.

firefoxquantum

More Information

Intent to remove Ambient Light and Proximity sensor APIs

The Proximity API

Related Articles

Mozilla Privacy Study Vindicates Tracking Protection

Firefox Quantum - Fast For Good

Mozilla Looks Into Health of Internet

Your Android Could Leak Data Via USB Charging

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

 

Banner


Gifts For Geeks 2024
22/11/2024

Are you ready for Thanksgiving, when overeating remorse and a surfeit of being thankful causes the unsettling thought that there are only four weeks till the Xmas break? So here is a mix of weird [ ... ]



Apache Releases Tomcat 11
07/11/2024

Apache has announced the release of Tomcat 11, as well as marking the 25th anniversary of the first commit to the Apache Tomcat source code repository since becoming an ASF project.


More News

espbook

 

Comments




or email your comment to: comments@i-programmer.info

Last Updated ( Wednesday, 21 March 2018 )