Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Do not permit unique info in ID #96

Closed
wants to merge 2 commits into from
Closed

Conversation

sagoston
Copy link
Contributor

@sagoston sagoston commented Aug 5, 2019

Closes #73

The following tasks have been completed:

  • Modified Web platform tests (link to pull request)

Implementation commitment:


Preview | Diff

@tomrittervg
Copy link

Typo: 'indentifying'

@nondebug
Copy link
Collaborator

nondebug commented Aug 5, 2019

An identification string for the gamepad. This string identifies the brand or style of connected gamepad device. Typically, this will include the USB vendor and a product ID. This string MUST NOT contain any information identifying a unique gamepad device.

It's not clear to me whether existing browsers would need to change their behavior to comply with the new spec language. The original bug mentioned that some devices expose serial numbers in the product name. Would the spec change require that the product name not be included in the ID string?

@sagoston
Copy link
Contributor Author

sagoston commented Aug 5, 2019

An identification string for the gamepad. This string identifies the brand or style of connected gamepad device. Typically, this will include the USB vendor and a product ID. This string MUST NOT contain any information identifying a unique gamepad device.

It's not clear to me whether existing browsers would need to change their behavior to comply with the new spec language. The original bug mentioned that some devices expose serial numbers in the product name. Would the spec change require that the product name not be included in the ID string?

I don't think this is a problem. I've not seen any browser/device combo which emits a unique serial/mac address so far. Which device/browser has been identified to expose unique data? Or was the speculation that it could be a problem?

@nondebug
Copy link
Collaborator

nondebug commented Aug 5, 2019

HTML5 Gamepad Tester logs ID strings, which is helpful for collecting IDs of less common devices. Jumping to the end of the list reveals device IDs that were seen only once.

https://html5gamepad.com/controllers

The device with VID:PID 0483:572b exposes garbage data for the product name which might be a serial number:

ẋ嚕冕쁁攥犡䋀几훝쭪磌蛱�홧�匟ꢦ�↝䦍ῳ (Vendor: 0483 Product: 572b)

There are also several entries with product name "Virtual Gamepad" followed by a unique string:

0001-0001-Virtual Gamepad: 3q9E8kho9

@sagoston
Copy link
Contributor Author

sagoston commented Aug 5, 2019

HTML5 Gamepad Tester logs ID strings, which is helpful for collecting IDs of less common devices. Jumping to the end of the list reveals device IDs that were seen only once.

The device with VID:PID 0483:572b exposes garbage data for the product name which might be a serial number:

ẋ嚕冕쁁攥犡䋀几훝쭪磌蛱�홧�匟ꢦ�↝䦍ῳ (Vendor: 0483 Product: 572b)

There are also several entries with product name "Virtual Gamepad" followed by a unique string:

0001-0001-Virtual Gamepad: 3q9E8kho9

These "Virtual Gamepads" are getting reported with "Virtual Gamepad: 3q9E8kho9" as the name of the device type/class. All the actual gamepad controller devices report only the type, not the unique instance. Approximately 20 uses of "Virtual Gamepad" are the exception.

As for the STMicro device (Vendor: 0483 Product: 572b), I don't know if that's garbage or something significant

@sagoston sagoston closed this Sep 19, 2019
@sagoston sagoston deleted the sagoston/security branch September 19, 2019 05:45
@tomrittervg
Copy link

Why was this closed?

@sagoston
Copy link
Contributor Author

We're making activation of the gamepad more explicit (requiring button state to go from unpressed to pressed) and adding a feature policy to only explicitly allow iframes use of the gamepad. With these changes, requiring uniqueness in the id becomes less critical.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

id field in gamepad might have a persistent identifier?
3 participants