Change blur/focus to visibilitychange #687
Conversation
index.bs
Outdated
| @@ -1958,7 +1968,7 @@ Gaze Tracking {#gazetracking-security} | |||
|
|
|||
| While the API does not yet expose eye tracking capabilities a lot can be inferred about where the user is looking by tracking the orientation of their head. This is especially true of XR devices that have limited input capabilities, such as Google Cardboard, which frequently require users to control a "gaze cursor" with their head orientation. This means that it may be possible for a malicious page to infer what a user is typing on a virtual keyboard or how they are interacting with a virtual UI based solely on monitoring their head movements. For example: if not prevented from doing so a page could estimate what URL a user is entering into the user agent's URL bar. | |||
|
|
|||
| To prevent this risk the user agent MUST [=blur all sessions=] when the users is interacting with sensitive, trusted UI such as URL bars or system dialogs. Additionally, to prevent a malicious page from being able to monitor input on a other pages the user agent MUST [=blur all sessions=] on non-focused pages. | |||
| To prevent this risk the user agent MUST set the [=visibility state=] of all {{XRSession}}s to {{XRVisibilityState/hidden}} or {{XRVisibilityState/background}} with throttled frame production when the users is interacting with sensitive, trusted UI such as URL bars or system dialogs. Additionally, to prevent a malicious page from being able to monitor input on a other pages the user agent MUST set the [=visibility state=] of all {{XRSession}}s on non-focused pages to {{XRVisibilityState/hidden}}. | |||
There was a problem hiding this comment.
Interesting - is the idea then that during background an app's frames are not being displayed, but it should keep its render loop going? Or the idea that during background the app is throttled to 5 fps, counting on reprojection to keep the view reasonable? Do we have a belief that UAs can throttle enough to eliminate the privacy risk without causing users to be uncomfortable?
There was a problem hiding this comment.
Or sometimes background is during a sensitive overlay (e.g. 5 fps) and sometimes background is during a non-sensitive overlay (e.g. 60/90 fps)?
There was a problem hiding this comment.
Yes. This is to allow for UAs to have some flexibility in how they display sensitive content AND to let UAs take advantage of some platforms features where the content is still visible even when the input focus is elsewhere. Primary example of that I can think of is Steam VR, which continues to display the app (lower res and greyed out, but still live) when you pull up the Steam overlay.
This is a situation in which the app would be put in that state but still pump frames at ~full speed.
You could also picture a scenario where the app is placed in that state but rendering is severely throttled to the point where it may only render intermittently to patch up around reprojection or even just process one frame to make a cubemap. This could be either for privacy reasons OR simply because the device lacks the horsepower to render two realtime stereo scenes at once. I don't believe the API should differentiate between those scenarios to the developer. Whether or not the UA is comfortable with that being sufficient to preserve privacy is up to them, though the hidden state is always available as a last resort.
|
Updated to take into account feedback from Alex. |
|
LGTM |
|
Done, done, and done. Thanks! |
There was a problem hiding this comment.
Mostly looking good! Two main comments are: a clarification question about throttling as the only acceptable mitigation and a desire to have normative text explaining the expected relationship between the page visibility and the session visibility on various hardware form factors.
Fixes #488 Fixes #468 Changes the `blur` and `focus` events to `visibilitychange`, along with a `visibilityState` attribute on the `XRSession`. The `visibilityState` may be `visible`, `hidden`, or `background`. This is pretty close to the `document.visibilityState` attribute and associated event, with the exception of the `background` state.
AdaRoseCannon
added
ed:explainer
A proposal, based on discussion at the F2F.
Fixes #488
Fixes #468
Changes the
blurandfocusevents tovisibilitychange, along witha
visibilityStateattribute on theXRSession. ThevisibilityStatemay be
visible,hidden, orbackground. This is pretty close to thedocument.visibilityStateattribute and associated event, with theexception of the
backgroundstate.