Mozilla sends more snooping Web APIs to smartphone Siberia
Light and proximity sensors blocked for Firefox 62
Firefox has revealed it will bin more privacy-invasive APIs, deprecating access to the light sensor, device proximity sensor, and user proximity detection.
The APIs in question have all been criticised for their invasive potential. For example,
devicelight offered potential vectors for snooping on user browsing habits or even passwords.
The other two APIs are
userproximity. As of Firefox 62, these will become user-controlled flags (and for users at the bleeding edge, the deprecation is implemented in the nightly build).
Independent security and privacy researcher and a consultant Dr Lukasz Olejnik, who described the risks in the light sensor API (and now contributes privacy analysis to Mozilla), also identified problems with the proximity APIs in 2016. At the time, he pointed out that while employing user proximity to manage the screen is harmless (for example, disabling it when people are on a phone call), exposing it to Websites could enable user profiling and other unwanted behaviour.
Firefox's developers believe more serious issues may exist. Announcing the deprecation, they wrote: “Those sensor APIs make web apps more like native mobile apps, but given the powerful nature, they can be misused for browser fingerprinting or same-origin policy violations.”
(There appears to be an error in that post: at the beginning, it included
deviceorientation in the deprecation list, but that API will in fact remain.)
Mozilla security developer Jonathan Kingston's message regarding the deprecation said that the orientation and motion sensors would receive warnings that they will be deprecated in the future.
There's still plenty of work to do, though. Last October, researchers reported that browser API-bloat in browsers is also a serious security vulnerability. ®