-
Notifications
You must be signed in to change notification settings - Fork 387
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Behavior when XRSession.visibility is 'visible-blurred' #724
Comments
There does appear to be some relevant text in #638: Under the section about "Mandatory conditions for exposing XRPose data", one of the conditions is: This could probably stand to read more clearly regarding trusted UI, but I would imagine that if the trusted UI has focus then the document itself does not? This is already the case with traditional pages, where if the URL bar for a page is focused then Deriving a suggestion that
I don't think the above would rule out delivering periodic poses to produce, for example, cube maps of the scene that could be reprojected behind the UI? Also, it's not clear to me if this should apply to something like the Steam UI being shown. The natural behavior of that scenario is the "blur" the running application by graying it out, rendering at a lower resolution, and suspending input tracking, but it still appears to track the user's head motion in realtime. A strict reading of the text above would imply that we should suspend poses the the page entirely when any overlay UI like that is displayed because the document is no longer explicitly in focus, which is an unfortunate experience hit in those scenarios. (For example: Desktop browsers don't black out when you focus on a different window, but then again desktop browsers also generally don't have access to your head pose...) |
I think head-pose as input should be distinguished from controller as input. The key here is that whatever will be used to interact with the trusted UI should not be presented to the blurred window. So unless you need to accept a dialog by using your head pose as a gaze proxy (like in a cardboard style device) then I think we can safely provide head pose to a blurred window. |
I wonder if even under those circumstances there isn't still a threat associated with head pose? Like... maybe people naturally move their head to follow the motion controller motion? And if so, it seems like a password might be sniffable? |
The considerations in this issue seem related to conditions for when iframes are allowed to access pose data... some of the threat vectors (input sniffing, gaze tracking) and possible mitigations are similar. @NellWaliczek I couldn't find an issue for that specific question, do you want to track it here? |
We definitely need to make sure we're tracking any potential threats. Can you elaborate a bit on the overlap you see with this issue? Based on that, we can figure out if filing a separate issue would be the better course of action. |
For background, as @toji mentions above, the design proposed in #638 requires that pose data only be available to a session that is visible, and same-origin to, the currently focused area:
This requirement was intended to cover threat vectors for two scenarios:
Input sniffing is a threat vector in both scenarios, whether the input is to a user agent, or to a web page on a different origin than the XR session. As an example of the latter, a top-level domain might present an input for sensitive data (e.g. a password field) that does not trigger a 'visible-blurred' scenario, but might allow an x-origin iframe to sniff the input. Gaze tracking is another relevant treat vector... arguably less of a concern for 'visible-blurred', but it's relevant when considering x-origin iframes that may wish to learn about user behavior on the top-level domain. The exploration above might be useful in both scenarios, and could address both threat vectors. For example, the idea of rendering a cube map might be a valid approach in both scenarios. I don't have an opinion as to whether there should be multiple issues, but there does seem to be similarities in both the threat vectors and possible mitigations. |
Been giving this quite a bit of thought, and I think that there's a bit of a disconnect between the title of this issue and the thing that we're all discussing.
Based on that, the "Behavior when XRSession.visibility is Perfect example: If you ever take focus away from Beat Saber for any reason when you come back the song is paused and you have to click a button to resume, after which you're given a very brief countdown and the gameplay starts up again. Now, that doesn't really answer the questions that everyone is actually discussing in this thread, which is more accurately stated as "When is it safe to use For discussion of when we can re-enable |
PR #742 removes the ability to use |
New issue files specifically to discuss the mitigations necessary to allow use of |
[Disclaimer: This issue is one of several being filed to capture discussions that began either on #638, on #689, or at the most recent F2F]
The current spec text states
It also states
What other, if any, concrete requirements should be added to the behavior of the session RAF, getViewerPose(), getPose(), and the data these APIs return while in this state? For example, should callbacks be forced to throttle down to, uh I don't know, 10fps? Should pose data be quantized or rounded? PR #638 touches on this topic a bit, but doesn't seem to provide any concrete guidance.
The text was updated successfully, but these errors were encountered: