immersive-web / webxr

Repository for the WebXR Device API Specification.
https://immersive-web.github.io/webxr/
Other
2.99k stars 384 forks source link

security and privacy questionnaire on WebXR Device API #1379

Open himorin opened 3 months ago

himorin commented 3 months ago

This is still draft version.

Detail analyses are also at privacy and security explainer.

toji commented 2 months ago

Thanks for putting together this initial draft! I've got a few comments:

What information might this feature expose to Web sites or other parties, and for what purposes is that exposure necessary?

This seems to be asking more about what information the API surfaces, while your draft response is more about pulling data from external servers. I think something along the following would be more accurate:

"Initially, the WebXR Device API exposes a boolean indicating whether or not the user's device is capable of displaying VR or AR content. To query any further information from the API an XRSession must be started, which requires user consent. For the duration of the session, continuous position, orientation, and optical information for the user's XR device (such as a headset) and any associated controllers are reported on an ongoing basis.

Do features in your specification expose the minimum amount of information necessary to enable their intended uses?

I'd add a bullet point to this stating:

"The values reported during a session are required in order to allow the page to render appropriately tracked imagery. If the data is not present or inaccurate then the resulting rendering may make the user sick."

We can also mention:

"XRSessions are typically presented full screen on the device, and upon exiting the full screen mode the session ends and the data is no longer reported."

How do the features in your specification deal with personal information, personally-identifiable information (PII), or information derived from them?

We may want to clarify that we don't expose any "typical" PII (like serial numbers or user names).

Do features in this specification enable access to device sensors?

For clarity, we should mention that the reported position and orientation data is derived from device sensors such as gyroscopes or cameras, but the sensor values themselves are not reported outside of the module that you mentioned.

A module in future incubation, model element may load 3D asset bundle with script.

While we are discussing the model element under the Immersive Web banner I don't see it becoming a WebXR API module, so we probably don't need to discuss it as part of this questionnaire.

himorin commented 2 months ago

Thanks for putting together this initial draft! I've got a few comments:

Thank you so much for review.

What information might this feature expose to Web sites or other parties, and for what purposes is that exposure necessary?

This seems to be asking more about what information the API surfaces, while your draft response is more about pulling data from external servers. I think something along the following would be more accurate:

ah, from Does your feature expose information to origins? and following question on expose the minimum amount of information necessary to enable their intended uses, I actually thought this was a question on the API itself accessing to the external service including ones at the origin.

"Initially, the WebXR Device API exposes a boolean indicating whether or not the user's device is capable of displaying VR or AR content. To query any further information from the API an XRSession must be started, which requires user consent. For the duration of the session, continuous position, orientation, and optical information for the user's XR device (such as a headset) and any associated controllers are reported on an ongoing basis.

replaced with this.

Do features in your specification expose the minimum amount of information necessary to enable their intended uses?

I'd add a bullet point to this stating:

"The values reported during a session are required in order to allow the page to render appropriately tracked imagery. If the data is not present or inaccurate then the resulting rendering may make the user sick."

We can also mention:

"XRSessions are typically presented full screen on the device, and upon exiting the full screen mode the session ends and the data is no longer reported."

added both

How do the features in your specification deal with personal information, personally-identifiable information (PII), or information derived from them?

We may want to clarify that we don't expose any "typical" PII (like serial numbers or user names).

added one bullet for clarification.

Do features in this specification enable access to device sensors?

For clarity, we should mention that the reported position and orientation data is derived from device sensors such as gyroscopes or cameras, but the sensor values themselves are not reported outside of the module that you mentioned.

added one bullet.

A module in future incubation, model element may load 3D asset bundle with script.

While we are discussing the model element under the Immersive Web banner I don't see it becoming a WebXR API module, so we probably don't need to discuss it as part of this questionnaire.

added clarification. (I suppose we should, at least, mention since it's within IWWG/CG space)

toji commented 2 months ago

Looks good, thank you! One more comment:

APIs do not expose PII on device identification, like device serial number nor user names.

I feel like this sentence was intended to go under the previous section about PII rather than the section about "sensitive information"?

himorin commented 2 months ago

@toji Ah! yes, thank you for pointing.