<rdar://problem/46382603>

Created attachment 357063 [details] Patch

Comment on attachment 357063 [details] Patch Attachment 357063 [details] did not pass ios-sim-ews (ios-simulator-wk2): Output: https://webkit-queues.webkit.org/results/10355886 New failing tests: http/tests/events/device-orientation-motion-non-secure-context.html

Created attachment 357069 [details] Archive of layout-test-results from ews123 for ios-simulator-wk2 The attached test failures were seen while running run-webkit-tests on the ios-sim-ews. Bot: ews123 Port: ios-simulator-wk2 Platform: Mac OS X 10.13.6

Committed r239087: <https://trac.webkit.org/changeset/239087>

Comment on attachment 357063 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=357063&action=review > Source/WebCore/page/DOMWindow.cpp:1834 > + document()->addConsoleMessage(MessageSource::JS, MessageLevel::Warning, "Blocked attempt add device motion or orientation listener from child frame that wasn't the same security origin as the main page."_s); Shouldn't this read: "Blocked attempt *to* add *a* device motion or ..."

(In reply to Joseph Pecoraro from comment #6) > Comment on attachment 357063 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=357063&action=review > > > Source/WebCore/page/DOMWindow.cpp:1834 > > + document()->addConsoleMessage(MessageSource::JS, MessageLevel::Warning, "Blocked attempt add device motion or orientation listener from child frame that wasn't the same security origin as the main page."_s); > > Shouldn't this read: "Blocked attempt *to* add *a* device motion or ..." Ahaha. I copy/pasted. Will fix.

(In reply to Chris Dumez from comment #7) > (In reply to Joseph Pecoraro from comment #6) > > Comment on attachment 357063 [details] > > Patch > > > > View in context: > > https://bugs.webkit.org/attachment.cgi?id=357063&action=review > > > > > Source/WebCore/page/DOMWindow.cpp:1834 > > > + document()->addConsoleMessage(MessageSource::JS, MessageLevel::Warning, "Blocked attempt add device motion or orientation listener from child frame that wasn't the same security origin as the main page."_s); > > > > Shouldn't this read: "Blocked attempt *to* add *a* device motion or ..." > > Ahaha. I copy/pasted. Will fix. <https://trac.webkit.org/changeset/239089>

Sorry to sneak in, but it is strange to me that devicemotion (on top-level frame) seems to be turned off by default on 12.2. Could not find a symptom / discussion in the Bug 192631 which implements the new opt-out setting. https://twitter.com/rmondello/status/1091073298409160705 https://twitter.com/johnwilander/status/1090334290326446082 Safari already opts-out devicemotion api in iframes as seen in Bug 152299 Safari (very recently) did Bug 192595, which limits the api to secure contexts Not so obvious to me what is actually concerned by security team, but my guess is it is ads-related concern - but if so Safari could just keep restricting the API in Iframe (Not sure if people behind the move aware that the API is already restricted in cross-domain iframe). I do not know apparent use-case where devs can "abuse" the api in top-level frame, while I see the API could play some key roles to provide better web-navigation in general, not just in vr/game related use cases as discussed on Twitter. Hope this is just mistake (not likely though--) or something that can be discussed/improved, not a finalization.

(In reply to Takahiro Ichihashi from comment #9) > Sorry to sneak in, but it is strange to me that devicemotion (on top-level > frame) seems to be turned off by default on 12.2. > > Could not find a symptom / discussion in the Bug 192631 which implements the > new opt-out setting. > > https://twitter.com/rmondello/status/1091073298409160705 > https://twitter.com/johnwilander/status/1090334290326446082 > > Safari already opts-out devicemotion api in iframes as seen in Bug 152299 > Safari (very recently) did Bug 192595, which limits the api to secure > contexts > > Not so obvious to me what is actually concerned by security team, but my > guess is it is ads-related concern - but if so Safari could just keep > restricting the API in Iframe (Not sure if people behind the move aware that > the API is already restricted in cross-domain iframe). > > I do not know apparent use-case where devs can "abuse" the api in top-level > frame, while I see the API could play some key roles to provide better > web-navigation in general, not just in vr/game related use cases as > discussed on Twitter. > > Hope this is just mistake (not likely though--) or something that can be > discussed/improved, not a finalization. One concern is third-party tracking/fingerprinting scripts getting included in the main frame. We've been blocking access to this API from third-party iframes for years but this is unfortunately not sufficient to prevent fingerprinting.

Thanks for your comment. As I searched quickly so far, this (devicemotion based fingerprinting) is rather a potential threat, I might wrong though. My current suggestion/proposal would be to restrict the API (in top-level frame) only in private mode Safari. There are already such features restricted in the incognito mode e.g. localStorage/sessionStorage. Ideal way would to combine some configurations to one trigger/checkbox which is labeled like "Advanced Privacy Protection", and to add API that generate user prompt like requestDeviceMotion(). Another way is to implement or build a database of websites or javascripts that are blacklisted -- considering the fact that potential number of websites benefit from or implement devicemotion based fingerprinting could be very limited.