Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Restrict getGamepads() to [SecureContext] #113

Closed
marcoscaceres opened this issue Sep 23, 2019 · 5 comments · Fixed by #120
Closed

Restrict getGamepads() to [SecureContext] #113

marcoscaceres opened this issue Sep 23, 2019 · 5 comments · Fixed by #120

Comments

@marcoscaceres
Copy link
Member

We should evaluate that impact of making getGamepads() only available in SecureContext (as we did with Geolocation).

We might need to figure out some kind of deprecation timeline for the http/insecure API.
@nondebug nondebug mentioned this issue Oct 19, 2019
Merged
4 tasks
@Miniontoby
Copy link

Miniontoby commented Feb 27, 2023
edited
Loading

I have a local media/web server which isn't able to get SSL without problems, but I still REALLY need this function! Any ideas?

btw it says getGamepad will now require (...), but it should say getGamepads will now require (...), since it is navigator.getGamepads() and not navigator.getGamepad()

@marcoscaceres
Copy link
Member Author

marcoscaceres commented Feb 27, 2023
edited
Loading

I think local-network-access (if the community gets agreement and it gets standardized) will solve for this. If I understand that spec correctly, it will allow for local things to be treated as "secure context".

@reillyeon
Copy link
Member

I think https://wicg.github.io/local-network-access/ (if the community gets agreement and it gets standardized) will solve for this. If I understand that spec correctly, it will allow for local things to be treated as "secure context".

I don't think that is what this proposal suggests.

@Miniontoby
Copy link

Miniontoby commented Mar 1, 2023
edited
Loading

I think https://wicg.github.io/local-network-access/ (if the community gets agreement and it gets standardized) will solve for this. If I understand that spec correctly, it will allow for local things to be treated as "secure context".

I don't think that is what this proposal suggests.

Yeah partly it is not that. I just don't see in how requesting/getting access to the current connected gamepads would be usefull for 'hackers' to do malisious things. I understand camera and microphone would have to be secure context, but this, this just doesn't make sense.

But maybe the local network access would be the solution for me if this really is being forced into, but else please rethink your idea of making this function secure context only.

Btw the ongamepadconnected event doesn't seem to be removed for non secure context (or at least it doesn't give message there) with this and still gives you access to the connected gamepad, but because chrome just saves a snapshot so you cannot do very much with it.

@marcoscaceres
Copy link
Member Author

The API has been shown to be used for fingerprinting whenever possible, so a third-party can (and do!) inject a scripts to poke at the Gamepad API. Having secure context mitigates some of this privacy annoyance.

Also, future versions of the gamepad API could allow communicating more directly with a gamepad... that will require secure contexts.

@marcoscaceres marcoscaceres mentioned this issue Feb 7, 2024
Closed
@zhangyx1998 zhangyx1998 mentioned this issue May 8, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Require secure context for gamepad state and events nondebug/gamepad
3 participants
@reillyeon @marcoscaceres @Miniontoby