(This issue is branched from a proposal made in #5 (comment) since there seemed to be adequate support for making such a spec update.)
Problem:
Malicious content such as framed tracker scripts using the API to fingerprint users.
Proposed solution:
Make the API available only within a secure context that is also a top-level browsing context. This disallows the use of the API within framed content, as well as from any content that is not a secure context.
See top-level documents and framed documents for illustrations.
Summary of changes:
There exists a hook in the spec to implement this change with no API surface changes in a backwards compatible manner:
- if the API is invoked from within a browsing context that is not a secure context and not a top-level browsing context, then
- leave the promise returned by
getBattery() in a pending state
This means we won't break existing web content using the API.
@riju volunteered to look into updating the Chromium/Blink implementation accordingly after the spec changes have landed.
(This issue is branched from a proposal made in #5 (comment) since there seemed to be adequate support for making such a spec update.)
Problem:
Malicious content such as framed tracker scripts using the API to fingerprint users.
Proposed solution:
Make the API available only within a secure context that is also a top-level browsing context. This disallows the use of the API within framed content, as well as from any content that is not a secure context.
See top-level documents and framed documents for illustrations.
Summary of changes:
There exists a hook in the spec to implement this change with no API surface changes in a backwards compatible manner:
getBattery()in a pending stateThis means we won't break existing web content using the API.
@riju volunteered to look into updating the Chromium/Blink implementation accordingly after the spec changes have landed.