This document specifies an API that allows web applications to request @@ -381,7 +381,10 @@
Some devices might also lack one or more of the postures due to @@ -524,54 +527,69 @@
- The Device Posture API exposes a posture determined from the - hinge angle value and other sensors. + No new security considerations have been reported on this specification.
+- Typical sensor readings are sent at a constant frequency to whomever is - listening to its readings. However the fold angle only communicates its - value when the hinge is manipulated by the user. Variations in the - angle’s readings and posture calculation, as well as event dispatching - frequency offer a possibility of fingerprinting to identify users. User - agents may reduce this risk by limiting or coalescing events when - exposing this information to web developers. Users don’t constantly - adjust the angle, so the fold angle value is changing in bursts: the - events may be dispatched at a very low frequency most of the time and - fire at a high frequency when the device is being opened or closed. In - order for the events to be dispatched, the content must be on the - foreground and visible to the user. Because the API does not directly - expose the raw angle values, but a more abstract posture with fewer - possible states, fingerprinting possibilities are more limited. + The Device Posture API exposes a posture determined from the hinge + angle sensor, but additional data can be used to determine the posture + such as whether the keyboard is attached or not, whether the + kickstand is deployed or not, etc.
- If the same code using the API can be used simultaneously in different - window contexts on the same device it may be possible for that code to - correlate the user across those two contexts, creating unanticipated - tracking mechanisms. + Device Posture exposes high level concept and not sensor values + making fingerprinting possibilities more limited. Changing + posture is a physical manipulation done by the user. The frequency of + the posture changes are low, users do not constantly adjust the angle, + and even if they do the posture will only be changed in certain + scenarios as described in [=posture values table=].
This section is non-normative.
++ If this API can be used simultaneously in different window contexts + on the same device it may be possible for that code to correlate + the user across those two contexts, creating unanticipated + tracking mechanisms. However, because the posture value is typically + stable for a long time it could only be used to verify that two users + are not the same, but it would not help to identify a given user given + the fact that there are multiple types and models of foldable devices. +
++ This API's entropy is comparable to the + pointer + API which tells whether the user's primary input is touch-based or not. + However, the primary input can change on devices where + the keyboard can be removed/added or the tablet mode is activated/deactivated. +
+ ++ iframes have access to the posture through this API and therefore could use + this information to identify users as mentioned in [[[#identifying-users-across-contexts]]]. +
- This section is non-normative. -
-- This section gives a high-level presentation of some of the - mitigation strategies specified in the normative sections of this - specification. -