Open nondebug opened 1 year ago
I'm not sure why adding even more API to Web Serial API would somehow lessen our existing concerns.
Thanks for taking a look. I don't expect this feature would change WebKit's position on the API but filing the standards-position request gives us a place to discuss any new concerns that may be associated with the feature. The Tracking Prevention article documents the position well but there's no place to leave comments.
Is this requesting review of the new additions to Web Serial (Bluetooth RFCOMM serial ports)? Or for the Web Serial baseline spec itself? I am asking because RFCOMM support doesn't appear to be in the linked Web Serial spec yet, but it's provided as the link for "URL to the spec".
Here's the pull request for the Bluetooth RFCOMM spec changes: https://github.com/WICG/serial/pull/189
I would like WebKit to generate an official position on Web Serial API that we can link from Chrome Platform Status, TAG design reviews, etc. The Tracking Prevention in WebKit article describes the position but doesn't have a published-on date which makes it difficult to determine if it's still the official position. It also doesn't use the "support"/"neutral"/"oppose"/"not considering" categories adopted in this repo. I've been assuming the article implies "oppose" positions for the listed APIs but I would rather not have to assume.
According to the article, Web Serial API and other APIs are considered unsafe due to privacy and security risks. The Bluetooth RFCOMM feature doesn't address these risks so I expect there isn't much value in evaluating the feature separately from the rest of the spec. If you want, I can file a separate issue just for the Bluetooth RFCOMM feature.
The article considers fingerprinting risk to be blocking but only describes the concerns in unspecific terms. Web Serial API already includes some fingerprinting mitigations. If WebKit has the bandwidth to take another look, it would be helpful to re-open this discussion with a focus on where the existing mitigations fall short, and where the current design exposes users to privacy and security risks with no mitigations.
WebKittens
@marcoscaceres
Title of the spec
Web Serial API
URL to the spec
https://wicg.github.io/serial/
URL to the spec's repository
https://github.com/wicg/serial/
Issue Tracker URL
https://github.com/WICG/serial/issues
Explainer URL
https://github.com/WICG/serial/blob/main/EXPLAINER.md
TAG Design Review URL
No response
Mozilla standards-positions issue URL
https://github.com/mozilla/standards-positions/issues/687
WebKit Bugzilla URL
No response
Radar URL
No response
Description
WebKit declined to implement several APIs, including Web Serial, due to concerns over fingerprinting:
https://webkit.org/tracking-prevention/
I'm re-requesting WebKit's position on this emerging web specification because of changes we are planning to make to support Bluetooth RFCOMM serial ports.
Chrome Platform Status: https://chromestatus.com/feature/5686596809523200 Explainer: https://github.com/WICG/serial/blob/main/EXPLAINER_BLUETOOTH.md
Even though Apple is not considering implementing this API, we are still interested in any feedback WebKit can provide on Web Serial and our proposal to support Bluetooth RFCOMM serial ports.