Expand on privacy issues related to background documents

[toji]

From @ddorwin on January 10, 2017 19:29

https://w3c.github.io/webvr/#security currently says:

Non-focused tabs are allowed to enumerate Gamepads and VRDisplays but will see last received state or default values.

I think it's worth calling out why this is the case. For example, without this limitation, a background tab on a magic window device could track the user's movement for days without the user's knowledge.

In addition:

• "Tabs" should probably be "documents" or similar.
• This should be stated more directly as a user agent requirement. See also #172.

For discussion, I propose something like:

User agents MUST allow non-focused documents to enumerate Gamepads and VRDisplays but MUST NOT provide position, pose, or other state to non-focused documents.

NOTE: Providing data to non-focused documents could...

This could probably be written pore positively, such as stating that the user agent MUST allow all documents to enumerate and only allow the focused document to get state. However, it is also important to call clarify that non-focused documents must not be able to get such state and why.

Copied from original issue: immersive-web/webxr#173

[toji]

From @ddorwin on January 10, 2017 19:54

Does the device orientation API have language we can use as a model?

[peterclemenko]

I'm not sure, but this should be implemented. This does look like a valid attack vector for at bare minimum deanonymization and tracking from a red team perspective.

[johnpallett]

The Generic Sensor API contains the following language: Sensor readings are only available for the active documents whose visibility state is "visible"

The Device Orientation Event editors draft contains the following language: do not fire events on invisible or backgrounded pages

Unless anyone objects I will add this consideration to the explainer.