Add note on remembering previously allowed ports (#107)#226
Add note on remembering previously allowed ports (#107)#226
Conversation
Add a note that user agents may remember previously allowed ports with a warnings that devices won't always have the same port. Fixed WICG#107.
|
Make sure you've joined the WICG to satisfy the IPR bot. |
| visited the same site. Implementations should take caution that | ||
| a device will not always have the same port name, as this is up | ||
| to the operating system, and thus there is a danger that | ||
| allowing access to a previously allowed port may grant access | ||
| to a different device than the user intended. As such, | ||
| implementations should communicate this risk to the user. |
There was a problem hiding this comment.
From our implementation experience in Chromium we've found that on Windows the situation is actually pretty good and we use the "device instance ID" to identify ports. Internally Windows generates this ID using a combination of device identifiers and bus topology information. On other platforms we make the more conservative assumption that device names (e.g. /dev/ttyUSB0 or /dev/tty.usbserial0) are not stable and only persist permissions for USB devices where we have a USB vendor ID, product ID and serial number to match.
I would probably rephrase this as,
Implementations should take caution that OS-provided device names may or may not allow accurate reidentification of a device between sessions and should only use properties which are highly likely to identify a specific device when remembering a user's permission decision. When no such identifier is present the permission should be time or session-limited.
2 participants
Add a note that user agents may remember previously allowed ports with a warnings that devices won't always have the same port.
Fixed #107.