Jump to content
Sign in to follow this  

Firefox Gets Privacy Boost By Disabling Proximity and Ambient Light Sensor APIs

Recommended Posts



Stating with Firefox 60 —expected to be released in May 2018— websites won't be able to use Firefox to access data from sensors that provide proximity distances and ambient light information.

Firefox was allowing websites to access this data via the W3C Proximity and Ambient Light APIs.

But at the start of the month, Mozilla engineers have decided to disable access to these two APIs by default. The APIs won't be removed, but their status is now controlled by two Firefox flags that will ship disabled by default.

This means users will have to manually enable the two flags before any website can use Firefox to extract proximity and ambient light data from the device's underlying sensors.

A total of five new flags added


The two flags will be available in Firefox's about:config settings page. The screenshot below shows the latest Firefox Nightly version, where the two flags are now disabled, while other sensor APIs are enabled.




The Firefox code commit in which these two flags have been added also includes three other flags —to enable or disable all sensors APIs, to enable/disable the Device Orientation Sensor API, and to enable/disable the Motion Sensor API.




These three flags will ship enabled by default, as access to these two APIs is needed by a broad range of a wide range of mobile websites.

Privacy concerns over the Proximity and Ambient Light APIs


The Proximity and Ambient Light sensors are both new and highly controversial. A key factor in the decision to ship these two APIs disabled by default is the work of privacy expert Lukasz Olejnik.

Olejnik published two research reports on the possible ways attackers and advertisers could abuse these two APIs.

For example, Olejnik argued that the W3C Proximity Sensor API could allow websites and advertisers to query the position of nearby objects in relation to a user's smartphone or tablet. Additionally, he also argued that malicious sites could use the W3C Ambient Light Sensor API to steal browser data.

Shipping these two APIs off by default takes care of some of Olejnik's concerns, albeit it does not mitigate the risk altogether.

"More user control is always good," Olejnik said regarding Mozilla's decision.


Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Create New...