|Firefox To Deprecate Sensor APIs|
|Written by Mike James|
|Wednesday, 21 March 2018|
Mozilla has decided to remove two W3C standards in Firefox. You might agree with its risk assessment, but it is a worrying time when browser makers get to pick and choose which standards are safe to use.
As a programmer you might agree that the browser sandbox, and the distance it puts between you and the hardware, is annoying. The idea that the browser is the operating system that you write for is an attractive one and if the browser were as powerful as the operating system then there would be no distinction between native apps and web apps.
Back in the days when Mozilla was trying to make Firefox an OS, lots of new hardware APIs were being added to allow access to the hardware needed to write apps for a phone. This was an interesting time because most of these new APIs were not part of any standard.
Now Mozilla has decided to deprecate the Ambient Light and Proximity Sensor APIs. At the moment these APIs are turned off by default in the current early beta/DevEdition and will be turned off in Firefox 62.
The reason for disabling these APIs is that both have been accused of security problems. The case against the proximity sensor API seems quite weak - just a basic idea that if data can be used to profile a user it will be. The case against the ambient light sensor API is stronger. Using it an attacker can discover the color of the current screen which might leak information on what web page the user was looking at. More realistically you could write a program that showed urls one at a time in using different styled for visited and unvisited states and then simply check for the color to discover if the user had visited the url. Less practical is the idea that an image or a QR code could be discovered by displaying each pixel in turn as big as the screen and checking for the color.
The solution in both cases is to degrade the accuracy of measurement and rate limit the access. Instead of doing this Mozilla have added flags that disable both APIs by default, and in the future the Device Orientation API will also be deprecated. Whether or not the APIs will be removed in the future is unclear and it probably depends on what the W3C do about amending the standards.
At least two of these buttons won't work in the near future and some others might follow.
Your opinion on Mozilla's approach probably depends on how you view the severity of the threat and how much it is going to affect any apps you are working on. Interestingly Mozilla was very keen on the new Proximity API when if was being developed.
What it does indicate is that browser makers are becoming increasingly opinionated on how browsers should work; Microsoft, Google and Apple mainly to protect their business interests and Mozilla in an attempt to be the overtly good guy. It would be nice to say that the job of the browser maker was to create something that was as standard as possible, but this would ignore the imperfect operation of the standard makers. It also emphasises how difficult it is to create a safe and secure system because the ingenuity of man or woman knows no bounds.
or email your comment to: firstname.lastname@example.org
|Last Updated ( Wednesday, 21 March 2018 )|