Firefox Gets Privacy Boost By Disabling Proximity and Ambient Light Sensor APIs

Stating with Firefox 60 -- expected to be released in May 2018 -- websites won't be able to use Firefox to access data from sensors that provide proximity distances and ambient light information. From a report: Firefox was allowing websites to access this data via the W3C Proximity and Ambient Light APIs. But at the start of the month, Mozilla engineers decided to disable access to these two APIs by default. The APIs won't be removed, but their status is now controlled by two Firefox flags that will ship disabled by default. This means users will have to manually enable the two flags before any website can use Firefox to extract proximity and ambient light data from the device's underlying sensors. The two flags will be available in Firefox's about:config settings page. The screenshot below shows the latest Firefox Nightly version, where the two flags are now disabled, while other sensor APIs are enabled.

What are these API for?

[Chatterton]

Why does these API have been created for? I don't really se a use case for them :( What other API are being put in without any really interesting use-case?

Re:What are these API for?

I suppose you could adjust styling based on light and proximity. Bigger fonts at longer distances, different color / contrast based on lighting. Who would go to the trouble of actually implementing that I have no idea, so anyone that is using it is probably fingerprinting.

Re: What are these API for?

Sounds great. Any actual real world uses or are these just more features dreamed up by "designers" that never get used by any majority of ppl and just contribute to feature bloat?

Re:What are these API for?

[BlackPignouf]

Stating with Firefox 61 -- expected to be released in June 2018 -- websites won't be able to use Firefox to access data from sensors that provide wanking and nose-picking information.

Re:What are these API for?

[iampiti]

I don't know about the W3C but for Firefox they were probably useful in the context of Firefox OS which was a mobile OS with a web engine as its runtime.

Re:What are these API for?

[Ol+Olsoc]

Stating with Firefox 61 -- expected to be released in June 2018 -- websites won't be able to use Firefox to access data from sensors that provide wanking and nose-picking information.

That's what black electrical tape is for.

Re:What are these API for?

[zifn4b]

Why does these API have been created for? I don't really se a use case for them :( What other API are being put in without any really interesting use-case?

Support for irrelevant features by an irrelevant browser. Surprise surprise.

Re:What are these API for?

[nnull]

Which browser is still relevant?

Re:What are these API for?

[DarkOx]

I can see a page switching between a night time and day time theme like the GPS in my car does for one thing. Is that worth the loss of privacy in a networked application, probably not but you asked for a use case so I gave you one.

Re:What are these API for?

[higuita]

Actually this is a W3C API and chrome also support it... at least in mobile. In desktop i think they disabled it as there is usually no sensors... in firefox they are also enabled, but without sensors (almost everyone), the value is fixed

remember that many of this are there to test if it is useful and if sites start to use it for cool things... sadly several features are just abused by trackers and later disabled.

Re:What are these API for?

[wonkey_monkey]

If you need black electrical for wanking and nose-picking, you're doing it wrong.

Re:What are these API for?

[wonkey_monkey]

Black electrical tape, dammit.

Re:What are these API for?

[GuB-42]

It may be a relic from FirefoxOS.

There is this idea that the browser is now an OS where all apps are essentially web pages. To make this work, apps need a way to access the hardware, just like executables can do in more traditional OSes.

Re:What are these API for?

[tlhIngan]

Why does these API have been created for? I don't really se a use case for them :( What other API are being put in without any really interesting use-case?

Web based apps. Not traditional web apps that go over the network and talk to a webserver via AJAX and the like (though you can to retrieve data), but fully self-contained applications using HTML, CSS and Javascript.

I wouldn't be surprised if it was an Apple initiative - remember, Steve Jobs wanted people to code in HTML/CSS/JavaScript to write apps for the original iPhone, so they added a bunch of APIs to support that. It was why Apple ported Safari to Windows. Remember, web apps were to be first class citizens indistinguishable from native apps. (And these days, they're one of the two ways to get an app onto iOS without Apple's approval).

Re:What are these API for?

[nospam007]

"I can see a page switching between a night time and day time theme like the GPS in my car does for one thing."

OTOH a gizmo with a GPS, a calendar and a clock knows when it gets dark anywhere in the world and also when you enter a tunnel so an ambient light detector is somewhat superfluous.

Re:What are these API for?

[thegreatbob]

All the things that should've been added using a robust plugin system, ... RIP XUL

Re:What are these API for?

[DarkOx]

Right but my desktop PC does not have GPS and neither does my laptop. The clock on either may or may not reflect the desired condition. In the interior of some office building if you are pulling an all nigher you might be under bright fluorescent light even if its 11pm where you are according to the clock and time zone data. A laptop might be in use in an dimmed air craft cabin or train car even in the middle of the day..

An ambient light sensor IS the right type of sensor for this consideration.

Why was this even possible?

Why the hell would there even be APIs to allow websites to interrogate information about your machine?

The answer to any website asking for anything more than the user agent should be no, sorry, fuck off.

I can't imagine why any of this information should ever be given to a damned website.

Re:Why was this even possible?

[iampiti]

While security can't ever be perfect I'm fine with these APIs as long as they're opt in.
It works that way with the location API: The browser informs the user that the website wants to access the location and it's up to the user to authorize it. Same with notifications.

Re:Why was this even possible?

[higuita]

you are only thinking in desktop, but in tablets and phones you may want to change the white background to a warm white background if the light is lower, so it does not hurt the human eye or require user adjusting the brightness level. Also, interactive sites and specially WebRTC may want to disable touch input if the proximity sensor flags in, so you do not submit any bad email or ruin a game or simply hangup or turn on video chat.

This was very important for Firefox OS, but without it they are less important and little real world usage is detected... except for trying to track the user... that is why is being disabled now. Of course without it, you have to trust your phone OS to do that

On desktop, as you do not have those sensors most of the time, the value is fixed and mostly useless.

The battery API was more useful, it allowed sites to disabled CPU/GPU heavy features depending of the battery... but it was also abused and later disabled

Re:Why was this even possible?

[tepples]

but in tablets and phones you may want to change the white background to a warm white background if the light is lower, so it does not hurt the human eye or require user adjusting the brightness level.

That would be at the level of the operating system, not the browser, and certainly not an individual web application.

Also, interactive sites and specially WebRTC may want to disable touch input if the proximity sensor flags in

That would also be at the level of the operating system.

Re:Why was this even possible?

[higuita]

in firefox OS, firefox was almost all the OS... even the apps were mostly web pages.
Even ignoring that, sites could change the css theme depending of the light sensor values, or web games use the proximity sensor to add new game features (like a very poor xbox kinetics feature).

Again, the idea was to give access to it and see how people used it, sometimes there are weird ideas that do use small and simple features.
This one didn't work, that is why is being disabled

Proximity? To what? Fingers to keyboard?

[jabberw0k]

Why would anyone even want a device that has invasive sensors in it?

Re:Proximity? To what? Fingers to keyboard?

[mysidia]

These aren't invasive sensors --- they're not collecting individually-identifiable information like a Camera or Microphone does, and the readings could be used to provide a friendlier browsing experience..... for example: lower light could default to a darker theme to reduce eye-strain.

Greater distance could select a "Big Screen/Big Picture/Dashboard" view versus an "Near view"

It might not be something every website needs, but I can think of at least a few web-based applications such as "Cloud-based media consumption --- sites like Youtube.com", or cloud-based enterprise applications where it could be useful.

Re:Proximity? To what? Fingers to keyboard?

[amorsen]

Why would anyone even want a device that has invasive sensors in it?

Because it is handy that the phone adjusts backlight based on ambient light. Also, phones (and most laptops) have much more invasive sensors known as camera and microphone.

Re:Proximity? To what? Fingers to keyboard?

[tepples]

Say the user wants the ambient light to control not only the OS-controlled backlight brightness but also a website's color scheme, in particular light on dark vs. dark on light. With what markup should a website declare both color schemes to the browser in order to allow the browser to choose one based on the brightness level read from the operating system?

Re:Proximity? To what? Fingers to keyboard?

[amorsen]

The phone's OS handles backlight control based on ambient light, not your damn web browser.

Read my post before going off on a tirade. It is only 3 sentences, including the quote that I replied to.

Re:Proximity? To what? Fingers to keyboard?

[tepples]

multiple CSS style sheets, one of them being the default
https://www.w3.org/TR/html401/...

Alternatively, they don't. The user configures user-specific style overrides in their UA and the UA applies them depending on sensor output.

With what UI control in each major browser does the user so configure it to apply one of "multiple CSS style sheets, one of them being the default" during high ambient light and the other during low?

Re:Stop putting the operating system in the browse

[tepples]

So you would prefer a policy such that newly encountered domains default to script off. Under this policy, how would a web application that falls into "the small amount of use case that actually need scripting" demonstrate to the user that it is worthy of "opt in explicit consent"?

Proximity of smartphone to ear

[tepples]

In a WebRTC voice and video chat application running in a web browser on a smartphone, proximity of the user's smartphone to the ear could be used to automatically switch between speakerphone mode (with half duplex, higher volume, and optional video) and non-speakerphone mode (with lower volume, full duplex, and no video).

Re:Proximity of smartphone to ear

[omnichad]

The phone's own dialer doesn't even do that. Probably because there's a lot of use cases and you'd rather have direct control anyway.

Re:Stop putting the operating system in the browse

[fibonacci8]

"Dinner and a movie" is traditional before that level of commitment.

Re:this is bullshit

[tepples]

My first guess is that it was coded for the dialer of Firefox OS, a phone operating system in which all applications including the dialer are web applications. The dialer needs to make certain decisions based on proximity of the phone to the user's ear. Even outside Firefox OS, so does any voice chat application.

Safari and Firefox

[cerberusss]

Thank you Mozilla. Firefox and Safari are the browsers who look like they care about privacy, and they're currently my choices.

Good luck running a Mac app on a non-Mac

[tepples]

Under this policy, how would a web application that falls into "the small amount of use case that actually need scripting" demonstrate to the user that it is worthy of "opt in explicit consent"?

Who gives a fuck?

People who use operating systems other than the majority desktop operating system, for one. If most web browsers did not run script, developers of web applications would instead develop native applications, which are specific to a single operating system and instruction set architecture. What good is a Linux (x86-64) executable on a Linux (ARM) device? What good is a native executable for macOS on anything but a Mac? What good is even the source code for a Cocoa application on anything but a Mac?

At least with the web platform, one application can use a useful subset of the HTML5 standard to reach users across Windows desktop, Windows UWP, macOS, X11/Linux, iOS, and Android, without needing to recompile the application for multiple platforms and buy a separate software publisher certificate for each platform.

Re:Good luck running a Mac app on a non-Mac

[tepples]

So, your solution is to let everyone run javascript, in case someone you trust need to? All the while letting places you shouldn't trust run scripts because that's the default?

No. I was commenting on Anonymous Coward #56247539's proposed policy of whitelisting script site and asking how a site would go about expressing to the user that it is worthy of opting in. To this, Anonymous Coward #56247827 replied:

I see absolutely no reason why we should be trusting web sites to run scripts at all. [...] Who gives a fuck?

Correct me if I'm wrong, but this implied to me that no site ought to be trusted. If this is the case, and if there is no generic "application player" for all major operating systems that is not a web browser, then this means applications are specific to an operating system, which is an outcome that I find undesirable.

You wrote:

Why should I by default trust that any random website?

You shouldn't, unless the site has done something to make it trustworthy. So let me restate my question: In an environment where script is whitelisted, what ought a site hosting a web application to do to make it trustworthy?

Re:Stop putting the operating system in the browse

[FatdogHaiku]

So you would prefer a policy such that newly encountered domains default to script off. Under this policy, how would a web application that falls into "the small amount of use case that actually need scripting" demonstrate to the user that it is worthy of "opt in explicit consent"?

Isn't that exactly what the noscript HTML tag is for?
You hit a page that thinks it needs scripting and you get a message asking you to enable it... maybe showing a GIF promising all kinds of wonderful things the site can do for you..

Re:Stop putting the operating system in the browse

[tepples]

Isn't that exactly what the noscript HTML tag is for?

No, because a user agent that supports script but fails to fetch a particular script will neither run the script nor show the contents of the <noscript> element. Last I heard, it was best practice to ignore the existence of the <noscript> tag, instead including the no-script content in the main document and having script slap a class onto the <html> element once the script actually loads, so that CSS code in the stylesheet hides the script.

But in any case: What contents should a web application put into its elements shown when the script does not run in order to demonstrate to the user that it is worthy of "opt in explicit consent"?

maybe showing a GIF promising all kinds of wonderful things the site can do for you..

What makes a reasonable user willing to trust the information presented in said GIF?

Proximity: Wrong scale

[DrYak]

you've got the wrong scale regarding proximity. it's not about the number of meters from the device to the user.
it's more "is there something pressed against the screen ?" (like the user's cheek and ear in case of a smartphone).
That's the thing that turn off the screen and (even more important) the touch screen while you're talking into the phone (that is : with the whole smartphone's body against your head. Not using earphones / bluetooth).

Web apps are a thing, and in some case, such as Skype, the web app (http://web.skype.com in this case) *is* the app. The new "native" Linux client is basically the web app, but packaged together with chrome, thanks to Electron framework. (and initially, wrapped together with the necessary plug-in to enable voice-chat, back when it used microsoft-edge-only api instead of webrtc. things have moved since and call work in bare firefox without any plugin and only webrtc).

(I haven't bothered to check, but I strongly suspect that the android app also shares code heavily this web app)

By providing an API to light and proximity sensors, it gives the web app a (web-)standard way to be able to behave like a normal phone app during calls and have the screen shut down so your cheek won't accidentally click on stuff.
Thus SkypeWeb opened in Firefox will act the same as the regular app, and all of them could potentially use the exact same API (instead of the Android App, iOS App, Windows APP all using their system's specific sensors API and Firefox not even being able to).

Same way of thinking could be applied to any other on-line voice calling platform's web app, or even "native" for the cases where "native" is just a wrapped up web app.

The problem, is that some rogue script on some mailicious website/ad could abuse it: e.g only do nefarious things such as mining cpu-cryptocoin only when the user isn't looking.
So these API will go the same way as all other sensitive API such as Location/GPS API : diabled by default, let user only enabled them on the sites where it's genuinely needs (Location: e.g. on google maps).

Re:Proximity: Wrong scale

[nospam007]

"That's the thing that turn off the screen and (even more important) the touch screen while you're talking into the phone"

So that one can take a picture of the ear, a very distinctive mark that allows to identify the user among millions of people.

Voice calls

[DrYak]

Voice calls are typically an exemple where the proximity sensors is used to shut down the screen and touch sensors.
(e.g.: If the proximity sensors senses that the whole face is against the screen, because the user is holding the phone against the ear instead of using earphones / bluetooth, then this is necessary to avoid the users' cheek clicking on random stuff on the screen).

Skype has a fully functionnal web app (web.skype.com) and on Linux, the new "native" app is basically just the web app wrapped together with a chrome browser.
Such an app would be a prime candidate for using such API.

Now a single web standard can be used whenever the user hold a smartphone to make a call, instead of each wrapped web app requiring special plugins calling into whatever that peculiar platform uses. (be it web.app in Firefox on your smartphone, web.app wrapped in a browser on your ubuntu touch phone, perhaps even web.app wrapped in an android app)

Standard feature

[DrYak]

The phone's own dialer doesn't even do that.

What ?
it's a standard feature on the phone's cell voice calling on nearly any smartphone I've had.
Put the smartphone against your ear: the screen shuts down, so your cheek won't accidentally click on stuff
Put the smartphone down: the screen light ups showing you a numpad (e.g.: so you can click on a number pad for number-driven menus a.k.a. "Press 1 if you are calling regarding ###") and/or an optional toggle to increase volume.

This is just providing a web standard, so a a webapp like SkypeWeb can mimmick the same behaviour.

Re:Standard feature

[omnichad]

Yeah, that's not what I'm saying the phone's dialer doesn't do. Read what I replied to more closely:

automatically switch between speakerphone mode (with half duplex, higher volume, and optional video) and non-speakerphone mode

The screen turning on is not speakerphone mode.

Re:Standard feature

[tepples]

Put the smartphone against your ear: the screen shuts down

I think the claim is that proximity ought to disable the screen and touch screen at the level of the operating system, not that of the browser. The dialer (be it built-in or Skype for Web) would always request that the operating system display the number pad. And then based on proximity, the operating system would choose whether or not to display what the dialer has requested and whether or not to pass on touch events to the dialer. If the dialer absolutely needs to determine whether the number pad is displayed, I guess it could listen for visibilitychange events or determine whether requestAnimationFrame() called its callback in the past second.

Re:Standard feature

[swillden]

it's a standard feature on the phone's cell voice calling on nearly any smartphone I've had.

Except on TV and movies. It annoys me (very mildly, but still) that when actors "talk" on the phone the screen stays lit.

Re:Stop putting the operating system in the browse

[higuita]

you have add-on for that, install no-script and you get the 99% static page without any api (as all APIs are javascript based)

Re:Stop putting the operating system in the browse

[Cajun+Hell]

He's talking about web browsers. You're talking about some kind of web application loader/RTS. Oh shit -- they're the same thing! No wonder we're so fucked.

Will the anal probes be disabled too?

[Dirk+Becher]

I hope they have something up the pipeline.

Re:Stop putting the operating system in the browse

[tepples]

When was it that ignoring the existence of the [<noscript> tag] is the best practice???

Since "progressive enhancement". See "Shouldn't we use <noscript> element?" by Jitendra Vyas et al.

Re:Stop putting the operating system in the browse

[tepples]

For reaching users on Windows desktop, Windows UWP, X11/Linux, Android, macOS, and iOS, which "web application loader/RTS" is superior to the HTTPS + HTML + CSS + JavaScript stack in your opinion?

Patchable

[DrYak]

Read what I replied to more closely:

automatically switch between speakerphone mode (with half duplex, higher volume, and optional video) and non-speakerphone mode

The screen turning on is not speakerphone mode.

For the specific trick of automatically boosting the volume whenever the phone is away from the users' face, though it's not a default option on most android phones, I'm sure you'll find apps on the Play Store and a dozen of users' patchs on more hacker community oriented OSes (HP/Palm webOS, Jolla's Sailfish, etc.)

API abuse

[DrYak]

You'd still need to find a way to persuade the victim to also enable cam access to that rogue malicious script, but yes,
that would be a typical way to abuse such modern web API, to almost-litteraly get a finger print, which can be monetized by tracking by ad provider.
A malicious chat app (like the scam clones of WhatsApp) would actually manage to have a valid reason to ask for proximity and camera.

The big pro, is that usually the selfie-cam is close to the ear speaker which in turn (for obvious reason) is close to the proximity sensors. So the ear will definitely be in-frame for the selfie cam.
The big con, is that the selfie cam isn't optimized to focus on extreme close ups. (The attacker would need to correctly time the moment the ear leaves the vicinity of the proximity sensor, with the best moment to take a sharp-enough picture of the retreating ear. e.g.: after the sensors notice ear departure, wait 500ms and take the picutre then, it's should be in the best focus range).